Security audit

小五子 - 理财分析

Security checks across malware telemetry and agentic risk

Overview

This is a small instruction-only financial analysis skill that discloses Feishu alerting and does not include code, installers, or privileged actions.

Before installing, confirm that any Feishu alert destination is trusted and intended, avoid sending private financial details unless deliberate, and treat the skill as analysis support rather than trading authorization or financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly states that real-time analysis conclusions can be pushed to Feishu, but it provides no notice, consent flow, or description of what data may leave the system. That creates a genuine data exfiltration and privacy risk because potentially sensitive market analysis, user inputs, or derived signals could be transmitted to an external service without clear user awareness.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal