Back to skill

Security audit

A股短线营收分析助手

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill is purposeful, but it needs review because it stores user stock queries locally and can produce concrete trading instructions despite a not-advice disclaimer.

Install only if you are comfortable with a financial-analysis skill that can use your East Money API key, send stock queries to East Money, retain recent request and routing data locally, and generate trading-style suggestions. Treat outputs as research, not advice, and avoid entering sensitive portfolio details, insider information, or proprietary strategy text unless the local logging behavior is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill advertises only a markdown-defined analyst workflow, yet the static analysis indicates access to environment variables, filesystem read/write, and network without declared permissions. Hidden capability expansion is dangerous because it can enable exfiltration of API keys, local report data, or user inputs, and can persist or alter files outside the user’s expectation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The declared behavior materially differs from the detected behavior: the skill appears to implement routing, persistence, quota tracking, validation, report processing, and broader stock/report generation beyond the stated analysis function. This mismatch undermines informed consent and security review, because users may provide sensitive inputs believing the skill is a narrow stock-analysis helper while it actually stores data, processes local files, and calls external services.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill states that it must not output a final trading decision, but the required JSON simultaneously forces a directional field `decision_hint` with values like `可做`、`观察`、`回避`. This contradiction can cause downstream agents or users to treat the output as investment advice despite the stated prohibition, increasing compliance and decision-manipulation risk.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code reads an Eastmoney API key from both environment variables and local .env files under the skill root. In an agent-skill context, local secret-file scraping expands the trust boundary beyond normal runtime injection and can unintentionally consume credentials placed in repository-adjacent files, which is broader than necessary for a stock-analysis helper.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The generic POST wrappers accept arbitrary URLs, and _build_eastmoney_url even permits fully qualified http/https endpoints. If any caller can influence the endpoint or URL source, this becomes an SSRF/exfiltration primitive that can send user data and API credentials to attacker-controlled destinations, which is materially broader than the stated Eastmoney-only purpose.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The router stores user requests and routing artifacts in local JSON files, creating persistent retention of potentially sensitive financial queries without any clear necessity or consent mechanism. In an analysis assistant, this expands the data-handling surface and can expose user behavior, symbols of interest, and request history to other local users, backups, or later components.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The duplicate-request cache persistently records normalized requests and usage timing, enabling user behavior tracking beyond the stated stock-analysis function. Even if intended for throttling, this creates an unnecessary audit trail of financial interests and request patterns that could be sensitive and abused if the host is shared or compromised.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The route history log appends full routing results, including request text, normalized request, intent classification, metadata, and timestamps, creating a durable record of user activity. For a financial analysis skill, that can reveal trading interests, research targets, and usage patterns without a demonstrated business need or clear notice.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file explicitly presents concrete trading recommendations, price targets, stop-loss levels, and position sizing while framing itself as a reference-style analysis. That creates a real safety/integrity issue because users can reasonably act on it as direct trading instruction despite the softer framing.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The disclaimer says the report is 'not investment advice,' but the body provides unmistakably actionable advice, including preferred picks, entry zones, stop-loss thresholds, and take-profit levels. This contradiction is dangerous because it can mislead users and downstream systems into treating regulated advice as harmless reference material.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
News-search requests transmit user questions, stock code, stock name, and time range to an external Eastmoney service without any in-function disclosure or consent mechanism. In an agent setting, undisclosed third-party transmission of user-supplied content is a real privacy and data-governance risk, especially if prompts contain sensitive trading intent or proprietary research context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Structured query calls forward user-provided search terms and stock identifiers to an external API without visible disclosure at the call site. This creates a privacy/compliance issue because user inputs and analysis targets leave the local skill boundary and may be logged or retained by the upstream provider.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
Stock-screening requests send user query text plus derived conditions to an external service, again without visible user disclosure. Because the derived conditions may reveal user strategy, preferences, or proprietary screening logic, this broadens privacy exposure beyond simple ticker lookup.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code writes request content and routing metadata to local JSON files without any visible disclosure, opt-in, or privacy control. Silent collection is risky because users may reasonably expect a stock-analysis assistant to process prompts ephemerally, not retain a local dossier of their requests.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The intent cache stores normalized user requests on disk, which still preserves semantic content even if formatting is removed. This is dangerous because normalized prompts can expose investment research topics and user intent while operating silently in a skill that appears to be focused on analysis rather than surveillance or long-term storage.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The report issues broad 'buy/observe' style recommendations and detailed execution guidance without a defined activation scope, audience restriction, suitability assessment, or contextual limits. In an agent skill, that makes the content more dangerous because it can be reused out of context and delivered as generalized trading advice to inappropriate users or situations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.