Stock Price Alert

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stock-alert purpose, but its config can make it read and send any environment variable as an API key.

Install only if you trust the config file and keep it under your control. Use a dedicated Alpha Vantage API key, do not set apikey_env to sensitive variables like cloud tokens or session secrets, and test with --once before leaving continuous polling enabled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script lets config control the name of the environment variable to read for the API key via indirect expansion (${!API_KEY_ENV}). That creates broader secret-access capability than needed for a stock alert tool, because a modified config can cause the script to read arbitrary environment variables and transmit their values to an external API as the apikey parameter.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal