stock-research-engine

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only stock research skill that may look up public market information, but it does not request code execution, credentials, persistence, or account-changing authority.

Install only if you want a Chinese-language stock research assistant that may send the company name or ticker you ask about to external search or financial data sources. Verify market data against primary sources and do not treat the confident fund-manager style as licensed financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger scope is excessively broad, matching common phrases like asking whether a company is good or worth buying, as well as raw ticker-like strings. This can cause unintended activation in unrelated conversations, leading the agent to switch into a specialized financial-analysis mode unexpectedly and potentially provide regulated or miscontextualized advice.

Natural-Language Policy Violations

Medium

Confidence: 81% confidence
Finding: The skill description is written to produce Chinese output by default without checking user language preference or offering opt-in. This can cause policy and usability issues by overriding the user's expected language, and in multilingual contexts may confuse the user or obscure important financial-risk caveats.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal