research analyst

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent finance-analysis tool that uses public market-data lookups and local portfolio storage without evidence of hidden, destructive, or credential-seeking behavior.

Install dependencies in a virtual environment, avoid sudo, and only query or store portfolio tickers you are comfortable exposing to public market-data providers. Protect the local portfolios.json file because it can reveal holdings and cost basis.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: User-supplied tickers and stored holdings are transmitted to a third-party market-data service during validation and display without clear disclosure or consent. In a local portfolio tool, holdings can be sensitive financial information, so silent outbound requests create a privacy leak and may violate user expectations or platform policy.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal