abe-finance-news

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its finance-briefing purpose, but its cron scripts contain a hardcoded default messaging target that could send portfolio-related briefings or alerts to an unintended WhatsApp group.

Review and change FINANCE_NEWS_TARGET before using any cron scripts, and avoid running the bundled cron jobs until you confirm the destination. Install only if you are comfortable with the skill storing local portfolio/alert data, calling finance/news/AI services, and using trusted local OpenBB/OpenClaw/Gemini tooling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (61)

Tainted flow: 'OPENBB_BINARY' from os.environ.get (line 42, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: results = [] for symbol in symbols[:10]: # Limit to 10 symbols try: result = subprocess.run( [OPENBB_BINARY, symbol, '--earnings'], capture_output=True, text=True,
Confidence: 77% confidence
Finding: result = subprocess.run( [OPENBB_BINARY, symbol, '--earnings'], capture_output=True, text=True, timeout=30 )

Tainted flow: 'OPENBB_BINARY' from os.environ.get (line 42, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: results = [] for symbol in symbols[:10]: # Limit to 10 symbols try: result = subprocess.run( [OPENBB_BINARY, symbol, '--rating'], capture_output=True, text=True,
Confidence: 77% confidence
Finding: result = subprocess.run( [OPENBB_BINARY, symbol, '--rating'], capture_output=True, text=True, timeout=30 )

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill advertises substantial capabilities including shell execution, network access, environment-variable access, and file read/write, yet no explicit permissions model is declared. In an agent setting, this creates hidden authority: a finance-news skill can modify files, access secrets such as API keys, and execute commands beyond what a user would reasonably infer from the description.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented purpose focuses on market news briefings, but the behavior extends into portfolio CRUD, persistent alerts, earnings tracking, scheduling, and other automation. This mismatch is dangerous because users and orchestrators may grant trust or invoke the skill for 'news' while it also performs persistent state changes and outbound actions that affect sensitive financial data and communications.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The file implements a full price-alert management subsystem (set/update/delete/snooze/check, persistent storage, user attribution, and trigger tracking), which materially exceeds the skill's declared finance-news briefing purpose. This scope expansion is dangerous because it introduces persistent state mutation and monitoring behavior not justified by the manifest, increasing the attack surface and enabling unauthorized or unexpected user tracking and action flows inside a news-oriented skill.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The alert records persist user-linked metadata such as note, set_by, set_date, triggered_count, and last_triggered, which goes beyond what is necessary for generating market news summaries. Retaining this user-specific activity history creates privacy and profiling risk, especially when stored without any visible minimization, retention controls, or access restrictions.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The code executes an external binary chosen from either the OPENBB_QUOTE_BIN environment variable or PATH and passes portfolio-derived symbols into it. Even though subprocess.run uses a list (reducing shell injection risk), invoking an externally supplied executable materially expands the skill's trust boundary and can lead to arbitrary code execution if the binary path or runtime environment is compromised.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: This function reads API credentials from both process environment and a home-directory .env file outside the skill directory. That gives the skill credential-discovery capability broader than its stated news/briefing purpose and creates unnecessary access to local secrets that could be abused by other code paths or future changes.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The code resolves and executes a local binary via an environment variable (`OPENBB_QUOTE_BIN`) or `PATH`, then uses it for quote retrieval. In an agent/skill context this creates a command-execution trust boundary around attacker-controllable local environment state, so a poisoned PATH or overridden env var could cause arbitrary executable invocation under the agent's privileges.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The fallback runs a `web-search` executable with dynamically constructed query text derived from a symbol, expanding the skill from news fetching into general-purpose external command execution. Even though `subprocess.run` uses an argument list, this still trusts an ambient executable from PATH and enables broader outbound data access than the finance-news scope requires.

Description-Behavior Mismatch

High

Confidence: 90% confidence
Finding: This file implements persistent local portfolio state management, including add/remove/import/create operations, which materially exceeds the declared finance-news/news-briefing purpose. In an agent-skill context, capability drift is dangerous because it grants write access to user data and local files without a clear product justification, expanding the attack surface for unauthorized data manipulation or unintended side effects.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The import and interactive creation paths allow the skill to ingest arbitrary local CSV content and overwrite the portfolio file, even though this is not necessary for a news-briefing skill. In context, this creates unjustified local file access and state-changing behavior that could be abused to alter user portfolio data, ingest unintended files, or bypass user expectations about a read-oriented news skill.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script sends aggregated market and portfolio content to an external Gemini CLI subprocess, introducing an unannounced outbound data flow to a third-party tool. Even though subprocess.run is invoked with a list and not shell=True, the security issue is the external transmission/processing of potentially sensitive portfolio data outside the stated skill behavior and without clear trust, consent, or data-handling controls.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This file implements broad portfolio/watchlist CRUD and alert-management behavior that goes well beyond a finance-news briefing skill's stated purpose. In an agent environment, unjustified stateful financial-management capabilities expand the attack surface and can enable unauthorized manipulation of sensitive user investment data or downstream actions based on that data.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The code persists and edits a user holdings/watchlist store despite the skill being described as a news briefing tool. Even without immediate code execution issues, hidden or unjustified financial state management is dangerous because other components may trust this store for alerts, recommendations, or user-facing portfolio summaries, allowing silent tampering or misleading outputs.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: When moving a watchlist item to holdings, the code sets the holding 'name' from watchlist notes if no name is provided, which corrupts asset identity and can mislabel portfolio entries. In a finance context, this is risky because incorrect attribution can mislead users, poison downstream summaries/alerts, and obscure what security is actually held.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill sends article URLs to the third-party is.gd shortening service, which discloses browsing targets and potentially sensitive query parameters to an external party unrelated to core summarization. In a finance context, links may encode portfolio interests, tracking tokens, or internal source URLs, creating unnecessary data leakage outside the trusted workflow.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The JSON output includes raw market and portfolio data rather than only the summarized briefing, which can leak more information than a caller expects from a news-summary skill. If integrated into chat agents, logs, downstream APIs, or client apps, this broad exposure can reveal holdings, watchlists, raw headlines, and source metadata to unintended recipients.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: Debug mode writes raw market, portfolio, and headline data to local cache files in plaintext, creating a persistent disclosure risk on shared hosts, developer machines, or CI runners. Because this skill handles portfolio-related data, the logs can expose investment positions, watchlists, and source material long after the session ends.

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: The skill introduces an external Gemini CLI dependency that processes collected market and portfolio data, but this capability is not clearly justified by the skill's stated briefing purpose. Hidden expansion of external processing increases attack surface, complicates trust assumptions, and may route sensitive portfolio context to third-party tooling without clear user expectation.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The file's stated behavior is unified stock/portfolio CRUD management, which materially differs from the manifest's claimed purpose of market news briefings with AI summaries. This kind of capability mismatch is dangerous because it can mislead operators and users about what the skill can actually do, reducing oversight and enabling unauthorized persistence or portfolio manipulation under the cover of a benign-seeming finance-news skill.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The code writes persistent local state to a stocks.json file even though the skill is presented as a news/briefing tool. Hidden or undeclared state mutation is risky because it can alter a user's portfolio/watchlist data unexpectedly and creates a trust boundary violation between declared read-oriented behavior and actual write-capable behavior.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The functions implement watchlist/holdings administration, including adding, moving, and removing securities, which is outside the justified scope of a finance-news briefing skill. Over-broad functionality increases risk because an agent or integration invoking this skill may unintentionally or silently modify user financial tracking data that it was never expected to control.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The CLI exposes operational commands that modify holdings, watchlists, and alerts, extending the skill from informational use into administrative control. In the context of a finance-news skill, this mismatch makes accidental or unauthorized invocation more dangerous because tooling or users may trust it as low-risk informational software while it can perform persistent changes.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The shorten_url function sends article URLs to is.gd, an unrelated third-party URL shortener, without user consent or necessity. Even if the URLs are public news links, this leaks user-relevant reading selections and possibly tracking parameters to another service outside the declared summarization provider.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal