Back to skill

Security audit

Gold Price - 黄金价格行情

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward TianAPI gold-price lookup tool, with some ordinary API-key handling cautions but no hidden or purpose-mismatched behavior found.

Install only if you intend to use TianAPI for precious-metal price lookups. Prefer setting TIANAPI_GOLD_KEY as an environment variable, avoid passing the key directly on the command line, and if you use scripts/.env, keep it out of version control and treat it as a secret.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation and metadata indicate use of environment variables, local file access (.env), and outbound network requests, but no explicit permissions declaration is present. This creates a transparency and trust problem: users may not understand that the skill reads secrets and sends requests to a third-party API, increasing the risk of unintended credential exposure or misuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to invoke a third-party API with their API key but does not clearly warn that the key will be transmitted off-platform to TianAPI. Omitting this privacy notice can mislead users about data flow and increases the chance they expose credentials without understanding the trust boundary.

Credential Access

High
Category
Privilege Escalation
Content
# 方式一:环境变量(推荐,一次配置永久生效)
    export TIANAPI_GOLD_KEY=你的APIKey

    # 方式二:.env 文件(在脚本目录创建)
    echo "TIANAPI_GOLD_KEY=你的APIKey" > scripts/.env

    # 方式三:每次命令行传入
Confidence
86% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
export TIANAPI_GOLD_KEY=你的APIKey

    # 方式二:.env 文件(在脚本目录创建)
    echo "TIANAPI_GOLD_KEY=你的APIKey" > scripts/.env

    # 方式三:每次命令行传入
    python3 scripts/fetch_gold-price.py --key 你的APIKey --kinds au9999
Confidence
93% confidence
Finding
.env

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.