0602-tosr2-01

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill is mostly purpose-aligned, but its optional Twitter/X feature asks users to handle powerful browser session tokens and broad local access without enough safeguards.

Review this before installing if you plan to use Twitter/X integration. The core finance features appear coherent, but avoid granting Terminal Full Disk Access or copying live X/Twitter browser cookies unless you fully accept the account-access risk. If you use the social scanners, keep .env out of shared folders and source control, restrict file permissions, remove or rotate tokens after use, and prefer running with --no-social when you do not need X/Twitter data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The documentation instructs users to obtain and supply live Twitter/X authentication material, including browser-derived cookies, to enable an optional data source. That creates a real credential-handling risk because copied session tokens can be misused for account access, and the guidance normalizes harvesting secrets from a browser session without strong scoping, storage, or revocation guidance.

Context-Inappropriate Capability

Low

Confidence: 93% confidence
Finding: The script automatically loads every key from a local .env file into process environment, which can expose unrelated secrets to the scanner and any subprocesses it launches. In this file, that becomes more dangerous because the Twitter scan later forwards the environment to an external CLI, expanding secret exposure beyond what is necessary for stock analysis.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script loads every key from a local .env file into process environment variables and then makes them available to an external CLI. That creates unnecessary credential exposure to another executable and broadens the blast radius if the CLI is compromised, misconfigured, or logs its environment.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The roadmap explicitly plans analytics and monitoring tooling such as Mixpanel/Amplitude, Sentry, CloudWatch, and custom KPI dashboards, but the surrounding privacy/compliance language does not clearly state any user-facing consent, disclosure, opt-out controls, or data-minimization boundaries for telemetry collection. In a consumer finance app handling portfolio, alert, and usage data, silent behavioral tracking can expose sensitive financial interests and create privacy/compliance risk under GDPR/CCPA and app-store disclosure requirements.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly tells users to extract X/Twitter session tokens from browser cookies and place them into a local .env file. Session/auth tokens are highly sensitive credentials; encouraging manual extraction and storage without strong warnings, scope limitations, revocation guidance, or use of safer OAuth-based flows increases the risk of account takeover if the tokens are leaked, logged, committed, or reused.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation instructs users to place Twitter/X authentication secrets in a local .env file but does not warn about secure storage, file permissions, accidental commits, or token exposure to subprocesses. In a skill that uses shell commands and optional social-media tooling, this increases the chance that sensitive tokens are leaked through logs, repos, backups, or unintended process inheritance.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The instructions tell users to grant Terminal Full Disk Access and manually extract X cookies/tokens, but do not include an explicit warning that these tokens can enable account takeover or expose unrelated local browser data. In the context of a stock-analysis skill, this is more dangerous because social sentiment is only an optional feature, yet the setup asks for highly sensitive permissions disproportionate to the core functionality.

Missing User Warnings

Medium

Confidence: 76% confidence
Finding: The watchlist documentation shows commands that add/remove persistent entries and a `--notify` mode for outbound notifications, but it does not warn users that data may be stored locally and that alerts may be formatted for external delivery. In a finance-oriented skill handling watchlists, prices, targets, and stop levels, this can lead to unintended retention or disclosure of sensitive investment preferences and trading signals.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script hard-codes an email-like identity string for SEC EDGAR requests and sends it to an external service without explicit user disclosure or configuration. In a skill context, this creates an undisclosed outbound identifier, weakens privacy/transparency, and can cause misuse of a shared or incorrect contact identity across deployments.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Silently importing all variables from .env without user disclosure expands access to credentials and local configuration beyond the apparent function of the tool. Because the scanner also uses subprocesses, those imported values may be inherited by child processes and unintentionally exposed or misused.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code silently imports values from a local .env file and passes them onward to a child process without transparency or scoping. In a skill context, that is risky because users may not expect locally stored secrets to be exposed to another executable during a market-scanning task.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal