Skills
skills/jsoncodechina/wind-skills/iFinD-Finance-Data/Gen Agent Trust Hub

iFinD-Finance-Data

Warn

Audited by Gen Agent Trust Hub on May 9, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The provided scripts call.py and call-node.js explicitly disable SSL certificate verification when connecting to the iFinD API host api-mcp.51ifind.com. In call.py, the requests.post call is configured with verify=False. In call-node.js, the https.request options include rejectUnauthorized: false. This insecure configuration makes the skill vulnerable to man-in-the-middle (MitM) attacks, which could lead to the theft of the auth_token stored in mcp_config.json or the tampering of financial data sent to the agent.
  • [PROMPT_INJECTION]: The skill processes untrusted financial data and user-defined queries, creating an indirect prompt injection surface.
  • Ingestion points: User-provided query strings are passed directly into the API request functions.
  • Boundary markers: No delimiters or instructions are used to separate user-provided parameters from system instructions.
  • Capability inventory: The skill possesses the ability to perform network operations and read local configuration files.
  • Sanitization: Neither the input queries nor the returned financial data are sanitized for malicious content or instructions before being returned to the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 9, 2026, 01:11 AM
Security Audit — agent-trust-hub — iFinD-Finance-Data