螃蟹投研-压力支撑位蜡烛图

Security checks across malware telemetry and agentic risk

Overview

This is a stock charting skill that fetches market data and saves chart images, with no evidence of hidden or harmful behavior.

Install only if you are comfortable running Python stock-analysis scripts and their dependencies. Running the skill may contact public market-data services with the stock code and date range, and the Baostock script may create or overwrite a chart PNG on your Desktop.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill writes a PNG file directly to the user's Desktop, which is a side effect not disclosed by the skill description and is performed without consent at the write site. Unexpected filesystem writes can violate user expectations, overwrite existing files with predictable names, and create privacy or workspace clutter issues even if the content itself is non-executable.

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The code saves an output image to the Desktop without explicit warning or confirmation at the write point. Even though the artifact is just a chart image, silent file creation is an unsafe practice for agent skills because it introduces non-transparent side effects and may overwrite or leave traces on the user's machine.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal