astock-research

Security checks across malware telemetry and agentic risk

Overview

This stock-research skill is mostly purpose-aligned, but it ships an embedded API key and an under-documented external market-data helper.

Review before installing or running. Remove and rotate the embedded QVeris key, require a user-provided QVERIS_API_KEY, document the external data request, and verify the referenced QVeris helper from a trusted source. Treat any generated ratings or position guidance as informational, not investment advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script contains and exports a hardcoded API key directly in source code, which is a real secret-exposure vulnerability. Anyone with access to the repository, logs, backups, or the installed skill can reuse the credential to query the external service, incur cost, or access data under the author's account; embedding a live key is especially risky because this skill's stock-query purpose does not require distributing the secret to end users.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Exporting a hardcoded API key for downstream use without disclosure is a true vulnerability because it silently grants external-service access using embedded credentials. This increases the chance of unintended credential propagation to child processes, debugging output, or shell history and makes the secret easier to misuse or extract.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal