市场主体统计

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal market-statistics API skill, with some documentation gaps around when to use it and how to handle its API key.

Install only if you intend to use this market-statistics provider and are comfortable configuring its API key. Store the key in a local secret or environment mechanism, do not paste it into ordinary chat unless you explicitly intend that, and use the skill for specific market-entity statistics requests rather than broad business-data tasks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill description is broad enough to match generic 'business data' requests, which can cause the agent to invoke this API outside its narrowly intended use for market-entity statistics. Over-broad routing increases the chance of unnecessary external data transmission and inappropriate use of credentials for unrelated queries.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation requires an API_KEY but provides no warning about secret handling, storage, redaction, or user consent. In an agent setting, this can lead to credentials being requested from users, echoed in logs, or forwarded insecurely to third-party services.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal