Back to skill

Security audit

Cifang Fund Data

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Cifang Quant fund-data client that uses an API key to fetch ETF/LOF market data, with no hidden persistence or unrelated behavior found.

Install only if you trust Cifang Quant and are comfortable sending your CIFANG_API_KEY to its API. Prefer passing the key explicitly or via a short-lived environment variable, and restrict automatic activation if you do not want generic finance prompts to trigger live data requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger description is broad enough that the skill may activate for generic finance-analysis requests, causing unexpected external API calls and use of the user's API key. In this context, over-broad invocation increases the chance of unnecessary secret use, unintended data disclosure to a third party, and surprise actions beyond the user's expectation.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.