Stocki

Security checks across malware telemetry and agentic risk

Overview

Stocki mostly matches its finance-analysis purpose, but its repair/update path can automatically delete and replace its own installed code without a clear confirmation step.

Install only if you trust Stocki and are comfortable with outbound requests to its gateway, a local ~/stocki workspace, and repair/update commands that may replace the installed skill. Avoid running doctor/update paths in sensitive environments unless you have reviewed them, and store the API key with normal secret hygiene rather than casually placing it in shared shell startup files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (11)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """Try to reinstall skill via clawhub, then GitHub.""" print(" Reinstalling skill...") try: r = subprocess.run(["clawhub", "install", "stocki", "--force"], capture_output=True, text=True, timeout=30) if r.returncode == 0: print(" -> Reinstalled via clawhub")
Confidence: 95% confidence
Finding: r = subprocess.run(["clawhub", "install", "stocki", "--force"], capture_output=True, text=True, timeout=30)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print(" -> Reinstall aborted: unexpected skill directory path") return False try: subprocess.run(["rm", "-rf", SKILL_DIR], check=True) r = subprocess.run( ["git", "-c", "http.postBuffer=524288000", "-c", "http.lowSpeedLimit=0", "-c", "http.lowSpeedTime=300", "clone",
Confidence: 98% confidence
Finding: subprocess.run(["rm", "-rf", SKILL_DIR], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: return False try: subprocess.run(["rm", "-rf", SKILL_DIR], check=True) r = subprocess.run( ["git", "-c", "http.postBuffer=524288000", "-c", "http.lowSpeedLimit=0", "-c", "http.lowSpeedTime=300", "clone", "https://github.com/stocki-ai/open-stocki.git", SKILL_DIR],
Confidence: 96% confidence
Finding: r = subprocess.run( ["git", "-c", "http.postBuffer=524288000", "-c", "http.lowSpeedLimit=0", "-c", "http.lowSpeedTime=300", "clone", "https://github.com/s

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill requests or implies capabilities including environment access, local file reads/writes, network access, and shell execution, but does not declare corresponding permissions. This weakens transparency and consent boundaries: an operator may believe the skill is only a market-data assistant while it can also touch local state and invoke external commands.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose is financial analysis, but the skill also describes update, diagnostic, integrity, filesystem, and self-management behaviors, including potentially dangerous command execution such as clawhub install, rm -rf, and git clone. This mismatch is risky because users may invoke a seemingly harmless analysis skill without realizing it can modify the local system, fetch remote content, or reinstall itself.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill contains self-update and local repair behavior that goes beyond its declared financial-analyst function. This expands the trust boundary from data retrieval to local software modification, including deletion and replacement of code. Such capability increases the blast radius if the update path, remote source, or environment is compromised.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Executing system commands to reinstall the skill is not justified by the advertised functionality and exposes the host to unintended code execution and destructive changes. The commands perform installation, deletion, and cloning operations that can alter the local environment significantly. In this context, that mismatch between stated purpose and capability makes the issue more severe.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The install guide tells users to run a destructive `rm -rf` command before reinstalling, but provides no warning, backup guidance, or confirmation step. Although the path is scoped to the skill directory rather than arbitrary user data, destructive commands in documentation can still cause accidental data loss if the path is mistyped, expanded unexpectedly, or copied into a different environment.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation instructs users to export an API key and persist it in `~/.bashrc` or `~/.zshrc` without any warning about credential exposure. Shell startup files may be broadly readable, accidentally committed, displayed during troubleshooting, or inherited by child processes, increasing the chance that long-lived secrets are leaked.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The doctor workflow can automatically trigger deletion and reinstallation of the skill without an explicit confirmation prompt. A user running a diagnostic command may not expect destructive maintenance actions, which creates a significant safety and integrity risk. In a CLI distributed as a financial tool, surprise self-modification is especially inappropriate.

Direct Prompt Extraction

High

Category: System Prompt Leakage
Content: --- ## Output Rules - **Instant mode:** Present output directly. No attribution, no processing. - **Quant mode:** Prefix with "以下分析来自Stocki：". Preserve content, clean up formatting for mobile.
Confidence: 88% confidence
Finding: Output Rules

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal