commodities

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed commodity price checker that uses yfinance/Yahoo Finance and includes related headlines, with no evidence of credential theft, hidden persistence, or destructive behavior.

Install only if you are comfortable with uv installing yfinance, contacting Yahoo Finance, and returning related headline titles and links along with prices. Treat returned news links as external content and verify market data before making financial decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill collects and returns recent news articles even though its stated purpose is only to fetch commodity prices. This expands data exposure and behavior beyond the declared scope, which can surprise downstream users or agents and create unnecessary external-content ingestion risks, including prompt/content injection from untrusted article metadata or links.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal