Security audit

Stocktoday Data

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed financial-data skill that requires a StockToday API token and network access, with credential-handling cautions but no evidence of hidden exfiltration or destructive behavior.

Install only if you intend to use StockToday's data service and are comfortable sending API requests to its gateway. Keep TUSHARE_TOKEN in an environment variable, do not paste real tokens into chat or shared files, avoid the documented HTTP backup gateway, and treat generated market analysis as data support rather than financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The documented `token_info` endpoint explicitly accepts a raw token and returns sensitive account metadata including token validity, permissions, and enabled plugins. In a skill context, this expands the blast radius of prompt-injection or accidental credential disclosure by giving an attacker a built-in reconnaissance primitive to validate stolen tokens and enumerate capabilities before further abuse.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger phrases are very broad and map common, ambiguous user research language directly into tool execution paths. In an agent setting, this can cause over-invocation of the skill on loosely related prompts, increasing the chance of unintended network access, token-backed queries, or mis-scoped financial data retrieval without clear user consent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation says `token_info` is '必调用' and asks for a `token` parameter, but does not clearly warn that the token is a sensitive credential that must never be exposed in prompts, logs, or shared workflows. In an LLM-agent setting, this creates a realistic path for users or downstream tools to leak credentials into model context or telemetry, after which the same endpoint can help confirm whether the leaked token is live and what it can access.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code rewrites the Tushare client’s internal HTTP endpoint to a custom StockToday gateway and includes an HTTP backup endpoint, causing the user’s API token to be transmitted to infrastructure outside the official service. Users are not clearly warned that their credentials and request metadata may be proxied through a third party, which creates credential exposure, traffic interception, and unauthorized data collection risks.

Unpinned Dependencies

Low

Category: Supply Chain
Content: tushare>=1.4.0 pandas>=1.0
Confidence: 95% confidence
Finding: tushare>=1.4.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: tushare>=1.4.0 pandas>=1.0
Confidence: 98% confidence
Finding: pandas>=1.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.