Plusefin Analysis

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward financial-data helper that uses a disclosed API key to fetch read-only market information from PlusE.

Install only if you are comfortable sending financial queries and your PlusE API token to PlusE's service. Keep the API key out of prompts, screenshots, commits, and logs, and treat the financial outputs as research support rather than investment advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The documentation instructs users to export an API key but provides no warning about keeping credentials secret, avoiding hardcoding, or preventing accidental disclosure in logs, screenshots, shell history, or committed files. In an AI-agent skill context, missing credential-handling guidance increases the chance that users expose secrets while setting up or troubleshooting the tool.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal