Back to skill

Security audit

A股实时行情数据

Security checks across malware telemetry and agentic risk

Overview

This is a read-only China stock-data helper with a clearly disclosed runtime patch that may affect market-data behavior but does not show hidden access or theft.

Use this in an isolated Python environment and consider pinning/reviewing the mootdx dependency versions. Be aware that the trading-hour bypass may return empty, stale, or unexpected data outside normal market conditions, so validate timestamps and trading calendars before relying on the output for financial automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The script globally monkey-patches tdxpy.hq.time_frame to always return True, disabling a built-in guard intended to constrain transaction queries to expected trading-hour behavior. In this skill context, that does not look malicious, but it silently changes library semantics for the whole process and may cause downstream code to trust data fetched outside normal constraints, leading to incorrect automation, policy bypass, or hard-to-debug misuse of market data APIs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.