qutedance-quotes

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow market-quote lookup tool; it uses a Qutedance API key if configured, but I found no hidden, destructive, or unrelated behavior.

Install only if you trust the configured Qutedance quote service and are comfortable sending ticker/search queries to it. Do not put a real API key into a shared or version-controlled config.json; use QUTEDANCE_API_KEY or another secret-management mechanism, and keep the service URL on HTTPS unless it is a local development endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The setup instructions explicitly encourage users to place an API key directly into a repository-backed config file, which can lead to credential leakage through source control, backups, logs, or workspace sharing. Even though the example value is empty, the documented practice normalizes insecure secret handling and materially increases the chance of real secret exposure.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script loads an API key from config or environment and automatically attaches it to outbound requests, while the default service URL is plain HTTP. This can expose credentials over an unencrypted network path and provides no user-facing indication that a secret will be transmitted to a remote service.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal