csmar-agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a small financial-query wrapper, but it forwards user queries to an undisclosed plain-HTTP private-IP agent endpoint instead of a clearly documented CSMAR API.

Review before installing. Use it only if you know and trust the private IP service, understand that each query is sent over plain HTTP, and are comfortable sending financial research prompts to that backend. Avoid confidential or proprietary queries unless the endpoint and network are controlled and approved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill declares no permissions in metadata, yet the associated behavior indicates network access. That mismatch weakens governance and user/admin visibility into what the skill can do, making it easier for external data exfiltration, unexpected remote calls, or policy bypass to go unnoticed. In this context, the skill is explicitly described as accessing external financial-report services, so undeclared network capability is especially relevant rather than incidental.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The skill claims to be limited to CSMAR A-share financial-report lookups, but the analyzed behavior suggests it sends arbitrary user queries to a generic internal agent endpoint and streams generic remote output. That creates a scope-expansion risk: users, reviewers, and policy systems may trust the skill as a narrow financial-data connector while it can function as a broader proxy to another agent/service, potentially returning unvetted or policy-incompatible content. The mismatch makes this more dangerous because invocation conditions are broad and the output is streamed without visible post-filtering.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The implementation does not match the declared skill purpose: instead of calling a CSMAR financial-report API, it sends arbitrary user queries to a generic internal query-answering endpoint. This creates a trust-boundary violation where users and operators may believe they are accessing a scoped financial data source, while their prompts are actually transmitted to a different internal service with different data handling, access scope, and behavior.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The invocation guidance is broad enough that common finance-related prompts or simple keyword mentions may trigger this skill outside its intended narrow use case. Over-broad activation increases the chance that unrelated user input is routed to an external/networked tool, exposing data unnecessarily and bypassing more appropriate skills or safeguards. Because this skill appears to contact remote services, accidental triggering has more security significance than a purely local formatter would.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code transmits user queries over plain HTTP to an internal service, which means the request content can be intercepted or modified by any actor with network visibility. Because this skill is intended for financial-report queries and may receive sensitive research prompts or internal business questions, lack of transport security materially increases confidentiality and integrity risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal