Mx Data

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward financial data lookup skill that sends user queries to a disclosed API using a user-provided API key.

Install only if you trust the Meixiang financial data service. Treat MX_APIKEY as sensitive, do not paste real keys into chat or committed files, and avoid sending confidential portfolio, client, or business information in toolQuery values unless approved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs users to send an API key in a request header to an external service but provides no guidance on protecting the secret, avoiding logs/history leakage, or limiting exposure in shared environments. While header-based API authentication is normal, the omission of handling and privacy warnings increases the risk of accidental credential disclosure through shell history, screenshots, copied commands, or debugging output.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill sends user-supplied queries to an external financial API but does not clearly warn that query content leaves the local environment. This can cause users or downstream agents to transmit sensitive internal research terms, portfolio details, client data, or proprietary prompts to a third party without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal