Security audit

Stock Terminal

Security checks across malware telemetry and agentic risk

Overview

This is a read-only stock research skill with clear API-key use and no executable install behavior, though hosts should sandbox its optional headline-fetching and embed rendering.

Install this if you are comfortable giving the skill a SentiSense API key for read-only financial data. If your host enables the news headline or social embed features, restrict outbound fetching to safe public URLs, cap response size and redirects, sanitize oEmbed HTML, and avoid exposing the API key in rendered output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill advertises itself as read-only and centered on SentiSense data, but it explicitly directs the host to fetch arbitrary third-party URLs for headline resolution and embeds. That expands the trust boundary from a single API to unvetted external content, creating SSRF/open-fetch, privacy leakage, and unsafe content-rendering risk if the host implements the guidance naively.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The guidance includes generalized web retrieval behavior beyond the declared purpose of a stock-data terminal, instructing the agent/application to fetch and parse arbitrary pages. In a host environment with broad network access, this can be repurposed to retrieve attacker-controlled URLs, increasing exposure to SSRF, tracking, and malicious content ingestion.

Intent-Code Divergence

Low

Confidence: 79% confidence
Finding: The document acknowledges that source retrieval is an independent application action, but still operationalizes that retrieval as part of normal workflow. This mismatch can mislead integrators into assuming the behavior is harmless or in-scope, causing them to enable external fetching without fully accounting for the added attack surface.

Anti-Refusal Statement

High

Category: Anti-Refusal
Content: These are the failure modes the skill is designed to steer around. - **Don't narrate the work.** "Let me look that up..." or "I'll need to call several endpoints..." is anti-pattern. The terminal does the work silently. - **Don't apologize.** "I'm sorry, I can only show preview data" is anti-pattern. Silently render what you have; flag `(preview)` in the corner if the user is on Free. - **Don't issue personal recommendations.** "$NVDA is a strong buy" or "you should sell $TSLA" is anti-pattern. This skill is a data interface, not an advisor. Show data and educational framing; let the user draw conclusions. - **Don't ask follow-up clarifying questions for unambiguous asks.** "Did you want price or sentiment for $NVDA?" is anti-pattern. Run the full `open` screen: it shows both. - **Don't pretty-print one number.** A user asking "$NVDA price" gets a one-line answer (`$NVDA $890.12 (+1.4%)`). They don't get a 30-line `open` screen for a price quote.
Confidence: 55% confidence
Finding: Don't apologize

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.