ClawHub

stock-assistant

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent stock assistant, but it can send stock and portfolio details to Feishu or arbitrary webhook URLs with weak disclosure and control.

Install only if you are comfortable with a local stock tool that can send portfolio-related data to Feishu or webhook destinations. Use only trusted webhook URLs and recipients, avoid passing App Secrets on the command line, review or remove the bundled CSV files before use, and back up/export your local database before deleting or importing records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Tainted flow: 'content' from requests.get (line 397, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
content = json_mod.dumps({"text": message})
        
        # 3. 直接用 open_id 发送消息
        msg_resp = requests.post(f'https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id', headers={
            'Authorization': f'Bearer {token}',
            'Content-Type': 'application/json'
        }, json={
Confidence
89% confidence
Finding
msg_resp = requests.post(f'https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id', headers={ 'Authorization': f'Bearer {token}', 'Content-Type': 'appl

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill documentation describes capabilities that read and write local files and access external network services, but it does not declare any permissions or clearly bound those actions. In agent environments, undeclared capabilities reduce transparency and can lead users or orchestration systems to grant broader trust than warranted, especially because the skill can import/export CSV and send data externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared purpose presents the skill as a local stock assistant, but the documentation also includes Feishu webhook pushes, app-secret-based token use, private chat delivery, and scheduled proactive notifications. This mismatch is dangerous because users may authorize the skill expecting local analysis while it can exfiltrate stock or trading-related information to third-party messaging endpoints and operate in a more autonomous manner than advertised.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file contains outbound Feishu messaging capabilities even though the skill metadata describes quote lookup, trade records, P&L analysis, and CSV import/export. Undeclared communication features materially expand the attack surface and create an opportunity to transmit data off-platform without users expecting it.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
send_feishu accepts an arbitrary HTTP(S) webhook and posts message content to it. That gives the module a generic exfiltration primitive unrelated to the stock assistant's stated purpose, enabling theft of portfolio data, fetched market data, or other sensitive text to attacker-controlled endpoints if the function is invoked with untrusted parameters.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This code handles Feishu app credentials and sends private messages, which is an undeclared integration capability outside the stated stock assistant scope. Credential handling plus outbound messaging increases the chance of secret misuse and unauthorized data sharing, especially in an agent skill that otherwise appears to be a local analysis/fetch utility.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The CLI exposes Feishu notification and data exfiltration functionality that is not disclosed in the stated skill metadata, expanding the capability surface beyond quote lookup, trade management, PnL, and CSV import/export. Undocumented outbound messaging is security-relevant because users may not expect portfolio and quote data to be transmitted to a third-party service.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents a delete command for transaction records without warning that the action is destructive, potentially irreversible, and capable of altering PnL and position calculations. In a financial-record context, accidental deletion can cause loss of auditability and incorrect trading analysis, which makes this more sensitive than generic record cleanup.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation advertises pushing stock data to Feishu webhooks and private chat but provides no privacy, credential-handling, or data-transmission warning. Even if the payload is 'just stock data,' messages may include user-selected watchlists, timing, and trading context, and the use of webhook URLs or app credentials introduces risk of unintended disclosure or credential misuse.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code can transmit stock quotes and position-related information to Feishu without an explicit warning that sensitive financial data is leaving the local tool. This creates a privacy and confidentiality risk, especially if users paste a webhook from a shared group or misconfigure recipient IDs, causing unintended disclosure of holdings and trading context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Passing app secrets on the command line can expose them through shell history, process listings, job schedulers, and system monitoring tools. That creates a realistic credential leakage risk, especially on multi-user systems or in CI/cron environments where this script is likely to run.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal