Security audit

Stock Analysis

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis plugin mostly matches its purpose, but it has serious command-execution and API-credential handling risks that need manual review before installation.

Install only if you trust the publisher and can run it in a constrained environment. Do not provide API keys until the shell=True command paths are fixed, Tushare uses HTTPS, and sentiment API hosts are allowlisted. Treat outputs as general market analysis, not personalized investment advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (31)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def _run_tool(script: str, args: str): cmd = f"{sys.executable} {TOOLS_DIR}/{script} {args}" try: r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30) if r.returncode == 0 and r.stdout.strip(): return json.loads(r.stdout) except Exception:
Confidence: 99% confidence
Finding: r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def _run_tool(script: str, args: str) -> dict | list: cmd = f"python3 {TOOLS_DIR}/{script} {args}" try: r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30) if r.returncode == 0 and r.stdout.strip(): return json.loads(r.stdout) except Exception:
Confidence: 94% confidence
Finding: r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def _run_tool(script: str, args: str) -> dict: cmd = f"python3 {TOOLS_DIR}/{script} {args}" try: r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30) if r.returncode == 0 and r.stdout.strip(): return json.loads(r.stdout) except Exception:
Confidence: 98% confidence
Finding: r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: tools_dir = Path(__file__).parent try: result = subprocess.run( [sys.executable, str(tools_dir / "search_intel.py"), "search", f"{symbol} 最新消息"], capture_output=True, text=True,
Confidence: 92% confidence
Finding: result = subprocess.run( [sys.executable, str(tools_dir / "search_intel.py"), "search", f"{symbol} 最新消息"], capture_output=True, text=True, timeo

Tainted flow: 'headers' from os.environ.get (line 301, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: for source in ["reddit", "twitter", "polymarket"]: try: resp = requests.get(f"{api_url}/trending/{source}", headers=headers, timeout=10) if resp.ok: result["trending"][source] = resp.json() except Exception:
Confidence: 81% confidence
Finding: resp = requests.get(f"{api_url}/trending/{source}", headers=headers, timeout=10)

Tainted flow: 'headers' from os.environ.get (line 301, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: for source in ["reddit", "twitter", "polymarket"]: try: resp = requests.get(f"{api_url}/sentiment/{source}/{symbol}", headers=headers, timeout=10) if resp.ok: result["sources"][source] = resp.json() except Exception:
Confidence: 82% confidence
Finding: resp = requests.get(f"{api_url}/sentiment/{source}/{symbol}", headers=headers, timeout=10)

Tainted flow: 'token' from os.environ.get (line 328, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: ts_code = f"{symbol}.SH" if symbol.startswith(("6", "9", "5")) else f"{symbol}.SZ" resp = requests.post( "http://api.tushare.pro", json={ "api_name": api_name_map.get(period, "daily"),
Confidence: 97% confidence
Finding: resp = requests.post( "http://api.tushare.pro", json={ "api_name": api_name_map.get(period, "daily"), "token": token, "params": {

Tainted flow: 'token' from os.environ.get (line 328, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: ts_code = f"{symbol}.SH" if symbol.startswith(("6", "9", "5")) else f"{symbol}.SZ" resp = requests.post( "http://api.tushare.pro", json={ "api_name": "realtime_quote",
Confidence: 97% confidence
Finding: resp = requests.post( "http://api.tushare.pro", json={ "api_name": "realtime_quote", "token": token, "params": {"ts_code": ts_code}, },

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The strategy description promises a 20-day high breakout entry, but the implemented entry logic checks Bollinger-band position, volume ratio, and daily price change instead. This mismatch can mislead users or downstream agents into deploying a strategy with materially different trading behavior than advertised, causing unintended market exposure and incorrect risk assumptions.

Intent-Code Divergence

Low

Confidence: 87% confidence
Finding: The exit logic uses a 510-period MA-diff cross-below condition that is not consistent with the stated 20-day breakout strategy. While this is less severe than hidden execution or data exfiltration, it can still cause users to misunderstand holding periods and exit behavior, leading to poor trading decisions and strategy misuse.

Context-Inappropriate Capability

Medium

Confidence: 76% confidence
Finding: This helper performs subprocess-based tool chaining even though the task is anomaly detection, expanding the attack surface beyond pure local analysis. In this file the danger is not merely orchestration itself, but that the orchestration is implemented through shell execution of dynamically composed commands.

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: This file's purpose is market regime classification, but it also delegates to another tool through a shell execution boundary. That expands the attack surface and creates unnecessary privilege/capability coupling, so a data-analysis skill can trigger arbitrary subprocess behavior if the wrapper is ever reused with less trusted inputs.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The module claims to be a stock-data fetcher, but its news fallback delegates to a separate search tool, broadening behavior beyond the apparent purpose. In an agent skill, hidden capability expansion is risky because it changes trust assumptions, may access different data sources, and can bypass the user's understanding of what will execute.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: Invoking another script through subprocess for a news fallback is a powerful execution capability not justified by the file's stated purpose. In a skill ecosystem, this can enable lateral execution of code outside the reviewed module, undermining sandboxing and increasing supply-chain risk if the sibling tool is modified or less trusted.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README advertises external news and social-intelligence features that require third-party API keys, but it does not disclose that user queries, stock tickers, watchlists, or other inputs may be transmitted to external providers. In a conversational plugin context, this creates a real privacy and data-governance risk because users may invoke these tools without understanding that their prompts or investment interests could leave the local environment.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The plugin is configured with `onStartup: true`, which causes it to activate automatically without any explicit user action or trigger constraints. For a skill that exposes many market, news, screening, and backtesting tools, this increases the chance of unintended invocation, unnecessary data access, or surprise background activity, even if the manifest does not itself show direct code execution.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill description says it should be used whenever the user asks for '龙头股分析', but the capability is effectively generic stock-selection and trading analysis. Broad invocation criteria can cause the agent to route ordinary stock-analysis requests into a specialized strategy skill that produces prescriptive trading advice without checking suitability, user intent, or safety constraints.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill gives concrete buy/sell timing rules and operational trading recommendations, but it does not include any explicit warning about financial risk, uncertainty, or that the content is not personalized investment advice. In context, this increases the chance that users treat speculative strategy guidance as authoritative and act on it without understanding loss risk.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger condition '当用户要求情绪分析时使用' is overly broad, so the skill may activate for vague emotional-analysis requests that are unrelated to financial markets. That can cause inappropriate routing, unexpected tool use, and delivery of trading-oriented advice in contexts where the user did not clearly request market analysis.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The skill is authored entirely in Chinese and directs operation/output in Chinese without indicating that the assistant should adapt to the user's language. This can cause user confusion, reduce transparency, and create opportunities for misunderstanding of financial-risk guidance if the user is not Chinese-speaking.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger condition '当用户要求均线分析时使用' is overly broad because it does not define clear scope, exclusions, or priority relative to other finance-related skills. In an agent system, this can cause unintended activation on loosely related requests, leading to incorrect tool use, confusing routing, or application of this trading-analysis workflow where it is not appropriate.

Natural-Language Policy Violations

Medium

Confidence: 82% confidence
Finding: The skill hardcodes a Chinese-language persona and presentation without checking the user's preferred language. This can degrade reliability and user comprehension, and in some cases cause the agent to ignore user instructions about language or format, which is a prompt-quality and usability security concern rather than a direct exploit primitive.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill gives specific buy-entry timing, stop-loss placement, and profit-target guidance that could directly influence a user's financial decisions, yet it provides no risk disclosure, suitability caveat, or reminder that technical patterns can fail. In a trading-oriented skill, this omission makes the guidance more dangerous because users may treat the output as actionable investment advice rather than educational analysis.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger description '当用户要求选股或筛选时使用' is broad enough to activate on generic stock-related requests, which can cause the agent to invoke this skill without clear user intent or suitability checks. In a financial context, over-broad activation is risky because it may steer users into screening or recommendation workflows when they asked for general education or analysis, increasing the chance of unintended investment guidance.

Natural-Language Policy Violations

Medium

Confidence: 80% confidence
Finding: The skill content is written to operate in Chinese without offering language negotiation, which can cause the agent to respond in a language the user did not request or understand. While this is not a direct code-execution issue, it can degrade comprehension of financial outputs and risk disclosures, making screening results easier to misinterpret.

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal