AKShare

Security checks across malware telemetry and agentic risk

Overview

This skill is meant for public finance data, but its helper can run arbitrary Python code on the user's machine if given a dangerous expression.

Install only if you trust every expression the agent will run, and avoid using expressions copied from untrusted sources. Prefer running this in a sandbox or waiting for a version that replaces eval with explicit, validated AKShare commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

eval() call detected

High

Category: Dangerous Code Execution
Content: env = {'ak': ak, 'pd': pd, 'json': json} try: result = eval(args.expr, {'__builtins__': __builtins__}, env) except Exception as e: print(f'EVAL_ERROR: {e}', file=sys.stderr) raise
Confidence: 99% confidence
Finding: result = eval(args.expr, {'__builtins__': __builtins__}, env)

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The implementation is not constrained to AKShare data retrieval; it is effectively a general Python expression evaluator with AKShare, pandas, and json preloaded. That broad capability allows abuse well beyond the declared skill purpose, including local file access, command execution, and unrestricted use of library object graphs to reach sensitive functionality.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The file's behavior materially exceeds the manifest description by acting as a generic Python evaluator rather than a dedicated market-data access tool. This mismatch is dangerous because users and orchestrators may trust the skill as a bounded financial-data utility when it actually grants execution semantics that can be chained into broader compromise.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The skill combines arbitrary expression evaluation with AKShare-backed network access and provides no warning, confirmation, or trust boundary to the caller. In this context, that means a seemingly harmless market-data request can trigger unexpected code execution and external requests, increasing the likelihood of abuse, data exfiltration, or policy bypass without informed user consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal