Back to skill

Security audit

A Share Sector

Security checks across malware telemetry and agentic risk

Overview

This market-data skill is mostly purpose-aligned, but it automatically installs unpinned Python packages and silently bypasses proxy settings during normal use.

Review before installing in managed or sensitive environments. Prefer preinstalling reviewed, pinned versions of akshare and pandas, and be aware that the script may bypass configured proxy variables for its own process. VirusTotal and static scan were clean, and no credential theft, exfiltration, persistence, or destructive behavior was found.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import akshare  # noqa: F401
    except ImportError:
        print("正在安装依赖 akshare pandas ...", file=sys.stderr)
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install", "akshare", "pandas", "-q"]
        )
Confidence
94% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "akshare", "pandas", "-q"] )

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to execute shell commands, access the network, and potentially use environment context, but it declares no permissions or trust boundaries. This creates a real security governance gap: an orchestrator or reviewer cannot accurately assess or constrain what the skill is allowed to do, increasing the risk of unintended command execution, package installation, or external data access.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Installing Python packages at runtime is not necessary for the stated purpose of querying A-share sector data and expands the trust boundary to external package distribution during normal use. This is especially risky in an agent skill context because execution may occur on shared or automated hosts, turning a simple data query into an environment-modifying action with supply-chain exposure.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The script deletes all proxy-related environment variables before running, which changes host network behavior beyond what users would expect from a read-only market-query tool. While likely intended to avoid 403 errors from the upstream data source, it can bypass enterprise egress controls, break audit/inspection paths, or interfere with other expected network security settings in the execution environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script installs packages via pip during execution with only a runtime status message, not an upfront consent or deployment-time requirement. In a skill that is supposed to query data, silent environment modification increases operational and security risk because it fetches and executes third-party package code as part of normal usage.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Deleting proxy-related environment variables without explicit warning alters the host's configured network path and may undermine expected security controls or connectivity behavior. Even if done to improve compatibility with the data provider, this is a surprising side effect for a query utility and is more concerning in managed or enterprise environments.

Unpinned Dependencies

Low
Category
Supply Chain
Content
akshare>=1.14.0
pandas>=2.0.0
Confidence
92% confidence
Finding
akshare>=1.14.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
akshare>=1.14.0
pandas>=2.0.0
Confidence
92% confidence
Finding
pandas>=2.0.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.