Sina Market

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Sina Finance market-data helper that uses disclosed public network requests and packaged reference files without signs of credential access, persistence, or destructive behavior.

Before installing, understand that running the scripts will contact Sina Finance public endpoints and return market data that may be incomplete or change over time. The artifact is executable Python from a non-trusted publisher, but the reviewed behavior is coherent with its stated purpose and does not show hidden credential use, persistence, or destructive actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises and instructs use of a Python script that performs network access and likely reads local reference files, but the skill metadata does not declare those capabilities. Undeclared permissions undermine least-privilege review and can cause users or orchestrators to invoke the skill without understanding that it reaches external services and accesses local files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal