牛牛量化股票系统

Security checks across malware telemetry and agentic risk

Overview

This skill looks like a demo trading tool but presents hard-coded stock data and buy signals as a professional quant platform, which could mislead users making financial decisions.

Review carefully before installing or using. Treat all outputs as simulated examples, not investment advice or live market analysis. Do not make trades from its signals, verify any package installs and public URLs independently, and only use limited-purpose market-data credentials if you choose to experiment with it.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The page presents itself as a stock quantitative trading platform with query, backtest, screening, and trading-signal capabilities, but the JavaScript only displays hard-coded demo outputs. In a financial context, this is dangerous because users may mistake fabricated results for real analysis and make investment decisions based on false information.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The tool emits explicit trading recommendations such as '买入', target price, stop-loss, position sizing, and favorable backtest results without any disclaimer that the output is simulated, informational, or not financial advice. In a trading context, users may reasonably rely on these outputs for real financial decisions, creating risk of financial harm and potential regulatory/compliance exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal