Economic Calendar Pro

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated purpose of fetching economic calendar data, with a minor credential-handling caveat around optional .env use.

Install only if you are comfortable with the script contacting TradingEconomics or Yahoo Finance for calendar data. Prefer setting TRADING_ECONOMICS_API_KEY in the runtime environment instead of a repo .env file; if you use .env, keep it gitignored and avoid storing unrelated secrets there. Review any recurring briefing before confirming it, and manage or cancel it through remind-me when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The skill tells users to place a credential-bearing TradingEconomics API key in an environment variable or repo-root .env file, but it does not warn against logging, echoing, committing, or otherwise exposing that secret. In a skill that also reads local files and runs scripts, this increases the risk of accidental credential leakage through terminal history, repository commits, or downstream tool output.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal