FP-DCF

Security checks across malware telemetry and agentic risk

Overview

This skill is a finance valuation tool that runs local Python code and may fetch public market data, with no evidence of hidden exfiltration, trading, purchases, or destructive behavior.

Install only if you are comfortable running a local Python finance tool that can fetch market data from Yahoo Finance, AkShare, and BaoStock and cache provider snapshots locally. For private or policy-restricted work, use manual fundamentals, disable provider-backed refreshes, and set a dedicated cache/output directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 74% confidence
Finding: The skill instructs the agent to write files and execute a local Python command but does not require an explicit user-facing notice that workspace files will be created or modified. In agent environments, undisclosed file creation and command execution can surprise users, overwrite existing paths, or expand the blast radius if inputs are mishandled elsewhere.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill supports provider-backed runs that fetch live data from external services and maintain a local cache, but it does not prominently require disclosure that network access may occur and that ticker/query data may be sent to third parties. In privacy-sensitive or restricted environments, silent outbound requests can violate user expectations, policy, or data-handling requirements.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal