market-data

Security checks across malware telemetry and agentic risk

Overview

This read-only market-data skill mostly does what it says, but it embeds a Polygon API key in the distributed source code.

Review before installing. The skill appears read-only and purpose-aligned, but the publisher should remove and rotate the exposed Polygon key, require a user- or platform-managed credential, encode user-supplied URL parts, and disclose the actual data providers used.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: A Polygon API key is hardcoded directly in source and then sent in outbound requests. Embedded credentials can be extracted by anyone with repository or package access, enabling unauthorized API use, quota exhaustion, billing exposure, and loss of control over the third-party account.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal