A Stock Monitor 1.1.2

Security checks across malware telemetry and agentic risk

Overview

The skill is a plausible stock-monitoring tool, but its web app ships with unsafe default access settings that users should review before installing.

Install only if you are comfortable auditing or changing the web app settings first. Before running it, replace all default passwords, set a real Flask secret key, disable debug mode, bind to localhost unless you intentionally expose it, and review the cron jobs, webhook examples, and files it writes under the skill directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises and documents capabilities that read/write local files and fetch external market data, yet it declares no permissions. This creates a transparency and policy-enforcement gap: users or platforms may approve the skill under a weaker trust assumption than its actual behavior warrants, especially given the documented SQLite caching, watchlist/config edits, and recurring network-fetch cron jobs.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: This is a serious description-behavior mismatch: a stock monitoring skill reportedly also implements authentication, user-management APIs, password changes persisted to users.json, and hardcoded default credentials plus a secret key. Hidden account-management features materially expand the attack surface, and hardcoded credentials/secrets can enable unauthorized access, privilege abuse, or session forgery if the web app is exposed.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The documentation explicitly discloses a default login password and further instructs operators to change it by editing application code. Default credentials are commonly left unchanged in real deployments, making unauthorized access straightforward if the service is exposed beyond a trusted local environment.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The documentation explicitly publishes a default administrative username and password for a locally hosted web service. Even if intended for convenience, exposing admin credentials without requiring rotation makes unauthorized access trivial for anyone who can reach the interface, and the skill context increases risk because it advertises a running web service on port 5000 with automation and market data access.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The `/api/market/sentiment` endpoint lacks `@login_required` even though the rest of the monitoring application is largely access-controlled. This exposes internal market-analysis functionality to unauthenticated users and may allow unauthorized scraping, abuse, or enumeration of service behavior without any session boundary.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Publishing a default password without a strong warning to rotate it before use materially increases the chance of insecure deployment. In the context of a stock-monitoring web application with login-protected endpoints, this could expose market data, operational controls, or any linked trading workflows to unauthorized users.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The CORS example shows blanket enablement without any origin restrictions or warning about the consequences. If copied into the application, it can allow arbitrary websites to interact with the API from a user's browser, which becomes particularly risky when combined with cookie-based auth or weak/default credentials.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The examples automate sending alert content derived from local stock-monitoring data to an external Feishu/Lark webhook, but they do not clearly warn that this transmits portfolio/watchlist-related information off-host to a third party. In a finance-related skill, even seemingly simple alert text can reveal holdings, strategies, and trading behavior, creating privacy and operational security risk if users enable it without understanding the data flow.

Missing User Warnings

High

Confidence: 99% confidence
Finding: This is a true security issue: the file discloses default login credentials and provides no warning to change them, no first-run rotation requirement, and no indication of access restrictions. In a production-ready monitoring system with a web UI and scheduled tasks, unchanged defaults can lead to immediate compromise of the application and any connected data or control functions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The uninstall section includes destructive filesystem deletion commands (`rm -rf <skill-path>` and database removal) without an explicit warning, confirmation step, or guidance to verify the expanded path before execution. In installation documentation, this creates a real risk of accidental data loss if the placeholder is replaced incorrectly or executed from the wrong context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal