Free A Share Real Time Data

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed China A-share market-data helper with normal setup and network-use cautions, and no evidence of hidden, destructive, or exfiltrating behavior.

Install in a virtual environment if possible, because the setup script modifies Python packages. Use it only where outbound connections to third-party market-data servers are allowed, and treat the trading-hour bypass as a data-quality caveat rather than a guarantee that returned data is suitable for trading decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The skill instructs users to run verification/demo commands and use APIs that connect to external TDX/mootdx market-data servers, but it does not clearly disclose this outbound network behavior up front. While expected for a stock-data client, missing disclosure can mislead users in restricted or sensitive environments and may cause unintended data egress or policy violations.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script monkey-patches tdxpy.hq.time_frame to always return True, explicitly bypassing a library safety/logic check. In this skill's context, that changes expected behavior globally in-process and can cause consumers to trust data returned outside intended constraints, leading to silent integrity issues and misleading results in trading or analytics workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal