Security audit

Stock Analysis

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent stock-analysis tool, but its optional social scanning asks users to expose live X/Twitter session credentials to an external CLI with overly broad local permissions.

Install only if you are comfortable with the optional Twitter/X scanners. Avoid providing AUTH_TOKEN or CT0 unless you understand they are live session credentials, do not grant Terminal Full Disk Access casually, keep any .env file out of shared folders or repositories, and prefer running the finance-only commands or hot scanner with --no-social when you do not need social-media data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (15)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The documentation expands the skill into collecting and using Twitter/X authentication tokens and browser-derived session material, which is a sensitive credential-handling workflow not necessary for core Yahoo Finance analysis. Even though this is presented as optional setup, encouraging users to extract and store auth tokens increases the chance of credential theft, misuse, or overcollection of access beyond the stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 79% confidence
Finding: The skill's stated purpose is stock and crypto analysis, but it extends functionality by invoking an external bird CLI to access Twitter/X data. This broadens the trust boundary to another executable that may use credentials, network access, and behavior not visible in this script, making the skill materially more dangerous in context.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script loads secrets from a local .env file into process environment variables and then passes the full environment to an external social-media scraping CLI. If that CLI is compromised, misconfigured, or logs its environment, unrelated secrets can be exposed beyond what is needed for the search operation.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly instructs users to extract Twitter/X session cookies (`AUTH_TOKEN` and `CT0`) from browser DevTools and store them in a local `.env` file. These are authentication credentials, not ordinary API keys, and their disclosure can enable account hijacking or unauthorized use of the user's X session; the lack of a strong warning or safer alternative materially increases the risk.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The description contains broad triggers like stock analysis, portfolio tracking, crypto monitoring, trending stocks, and rumors, which can cause the skill to be selected for many ordinary finance-related prompts. Over-broad activation increases the chance that a higher-risk skill with shell, network, and persistence features is invoked when a narrower, safer response would suffice.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill promotes portfolio and watchlist features that persist user financial interests to local JSON files, but the user-facing command descriptions do not clearly warn at the time of use that data will be stored on disk. This can expose sensitive investment holdings, targets, and trading interests to other local users, backups, logs, or later compromise of the host environment.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Telling users to grant Terminal Full Disk Access materially increases the local privilege of the terminal and any subprocesses it launches, which can expose browser data, cookies, documents, and other sensitive files. Without a clear warning or safer alternative, this normalizes a broad system-permission change for a non-essential optional feature.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The docs instruct users to manually extract `auth_token` and `ct0` cookies from the browser and place them in `.env` or environment variables without emphasizing that these are live session credentials. If exposed through shell history, logs, dotfiles, backups, or repo commits, an attacker could hijack the user's Twitter/X session or abuse the account.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The usage guide instructs users to run portfolio and watchlist commands that create, add, remove, and persist local state, but it does not clearly warn that these actions modify stored user data. In an agent or automation context, documentation like this can cause unintended stateful side effects, such as silently creating portfolios or altering watchlists, which is risky because users may assume the examples are read-only analysis commands.

Missing User Warnings

Low

Confidence: 66% confidence
Finding: In normal execution, the script performs network requests for breaking news and market context without clear user-facing disclosure beyond source code and optional verbose logs. In an agent-skill setting, undisclosed outbound requests can surprise users, leak ticker interests and usage timing to third parties, and violate expectations about local-only analysis.

Missing User Warnings

Low

Confidence: 72% confidence
Finding: The EDGAR insider-analysis path contacts a third-party service and sets a fixed identity string without clear user disclosure during ordinary runs. In a skill context, this creates privacy and policy concerns because user-requested ticker analysis can trigger external lookups and send a hardcoded identifier to the SEC, which may be unexpected and attributable.

Missing User Warnings

Medium

Confidence: 76% confidence
Finding: The script executes an external bird CLI without warning the user that an additional program will run and potentially access external services. In an agent skill context, undisclosed subprocess execution increases supply-chain and privacy risk because the user may reasonably expect only direct finance-data retrieval, not execution of separate tooling.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script loads all values from a local .env file into process environment variables and later passes the full environment to a subprocess. That creates a clear path for unnecessary credential exposure to the external bird binary, which may read, log, or transmit secrets unrelated to the scan.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code silently reads a .env file and injects all parsed values into the runtime environment without warning or scoping. This increases the blast radius of local secrets because later code and child processes can access variables that were not intended for this script.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The script invokes an external Bird CLI to query social-media content, but this dependency and its network/data-handling implications are not clearly disclosed in the user-facing description. In agent settings, hidden external execution can undermine trust and expose credentials or metadata unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.