ClawHub

Stock Watcher Pro

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent stock-announcement watcher, but it handles live account cookies, remote LLM data sharing, an unauthenticated network dashboard, and persistent cron setup with weak user-control safeguards.

Review this skill before installing. Use a dedicated low-risk Eastmoney session if possible, protect cookie.txt like a password, keep .env and the SQLite state out of shared workspaces, and only enable the LLM if you are comfortable sending watchlist-related announcement titles/text to the configured provider. Avoid running scripts/setup.sh unless you intend to install recurring cron jobs, and bind or firewall the dashboard if you do not want LAN access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly tells users to copy their authenticated browser cookie into a local file, but does not warn that this cookie is effectively a bearer credential that can grant account access if exposed. In an agent skill context, users may place this file in the skill directory, logs, backups, or shared workspaces, increasing the chance of credential leakage and unauthorized access to their Eastmoney account/session.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README documents use of a remote LLM endpoint and API key but does not clearly disclose that fetched announcement content may be transmitted to a third-party service for classification/summarization. This creates a data-sharing and privacy risk, especially if announcements, watchlists, or derived metadata are sensitive in the user's environment or subject to compliance requirements.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation examples use broad natural-language phrases like asking the agent to 'help me see' or 'remind me daily,' without clear trigger boundaries or confirmation requirements. In agent ecosystems, this can cause accidental or overly eager invocation, leading to unintended network access, scheduled tasks, or processing of sensitive portfolio/watchlist data from ambiguous user requests.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The setup section repeatedly instructs users to 'tell agent' to initialize the skill, install dependencies, configure cookies, and set up LLM access, but does not define strict approval boundaries. Because these actions involve package installation, credential handling, file writes, and possibly browser automation, ambiguous activation language raises the risk that an agent performs high-impact setup steps from casual conversation rather than explicit authorization.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends announcement text and metadata to a third-party LLM endpoint via requests.post, but there is no explicit user-facing disclosure, consent flow, or data-classification control. Even if announcements are often public, the transmitted corpus may include account-scoped selections, internal preprocessing, or future non-public content, creating confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The module reads a local cookie file and then attaches that cookie to outbound requests to Eastmoney APIs to access the user's account-specific watchlist. Although this is part of the feature design, it involves handling authentication/session material without any explicit consent flow, scoping, or safeguards, so accidental leakage or unintended reuse of a live session cookie is a real privacy/security concern.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script transmits announcement titles and stock names to an external LLM service during bulk reclassification without an explicit consent, disclosure, or data-handling guard at the point of transmission. In this skill context, the data appears business-related rather than highly sensitive, but large-scale outbound transfer to a third-party model endpoint can still create privacy, compliance, and data-governance risk, especially if config.json points to an untrusted base_url.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes directly to the user's crontab without an explicit consent prompt, causing persistent scheduled execution to be installed automatically. In an agent-skill context, silent persistence is security-relevant because it changes system behavior beyond the current run and could repeatedly execute code or network activity without the user's informed approval.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal