ClawHub

港股日内交易复盘

Security checks across malware telemetry and agentic risk

Overview

This trading skill needs review because it can send trading details to Feishu by default, exposes an API token over cleartext HTTP, and sometimes presents simulated data as real market analysis.

Install only after reviewing and changing the Feishu notification path, removing the hardcoded recipient, avoiding shell=True, and confirming all market data is real and current. Do not use the generated trading signals for real financial decisions until the simulated-data paths are removed or clearly labeled, and rotate any Tushare token that may have been used over HTTP.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 使用OpenClaw CLI发送到飞书
            feishu_user_id = os.getenv("FEISHU_USER_ID", "ou_eb6695d143b4010149cbf8de7f0e39bd")
            cmd = f"openclaw message send --channel feishu --target {feishu_user_id} --message {shlex.quote(message_text)}"
            result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
            
            if result.returncode == 0:
                logger.info("飞书通知已发送")
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)

Tainted flow: 'TUSHARE_TOKEN' from os.getenv (line 19, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
def call_tushare(api_name: str, params: dict = None, fields: str = "") -> dict:
    """调用Tushare API"""
    try:
        resp = requests.post(
            TUSHARE_URL,
            json={
                "api_name": api_name,
Confidence
99% confidence
Finding
resp = requests.post( TUSHARE_URL, json={ "api_name": api_name, "token": TUSHARE_TOKEN, "params": params or {},

Tainted flow: 'cmd' from os.getenv (line 334, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
# 使用OpenClaw CLI发送到飞书
            feishu_user_id = os.getenv("FEISHU_USER_ID", "ou_eb6695d143b4010149cbf8de7f0e39bd")
            cmd = f"openclaw message send --channel feishu --target {feishu_user_id} --message {shlex.quote(message_text)}"
            result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
            
            if result.returncode == 0:
                logger.info("飞书通知已发送")
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file explicitly claims it is based on actual stock-picking data while embedding simulated market and execution results. In a trading/reporting context, this can mislead operators or downstream systems into treating fabricated performance as real, resulting in bad decisions, false audit trails, or compliance issues.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script claims to use previous-day closing data for stock selection, but `get_historical_data` actually fabricates random market data. In a trading context, this is dangerous because it can mislead users into believing recommendations are data-driven and suitable for real decisions, producing arbitrary outputs with financial consequences.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file advertises integration with real multi-source financial APIs, but all three data-source methods return placeholder success responses with empty data. In a trading skill, this is dangerous because it can mislead users or downstream agents into trusting outputs as market-grounded analysis when they are actually synthetic or non-functional, creating a risk of unsafe financial decisions based on false premises.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The trend analysis function claims to analyze trend but actually generates a random score, with even an inline comment acknowledging that real historical data is not used. In the context of a trading system, this creates deceptive output that appears analytical and can directly influence buy/sell decisions without any market basis.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The momentum analysis is presented as if derived from stock data, but it uses random values instead of market-derived indicators. Because this factor contributes to total scoring and recommendations, the skill can output arbitrary trading signals that users may mistake for evidence-based analysis.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script writes output to a hard-coded absolute path outside its computed skill directory, which can cause unintended file writes, privacy issues, and operational surprises when run in another environment. In an agent/skill context, hidden side effects to the local filesystem are security-relevant because execution can modify host state without explicit operator control.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill explicitly supports sending trading plans and review results to a Feishu webhook, but it does not warn users that this transmits operational or potentially sensitive financial data to a third-party service. This can lead to unintended external disclosure of trading activity, strategy details, or system-generated error context, especially if webhook destinations are misconfigured or shared broadly.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code is configured to send a sensitive API token to http://api.tushare.pro, which exposes the credential and request contents to interception or modification on the network path. In an automation skill context, silent transmission of secrets over cleartext is especially dangerous because it may run unattended in shared or cloud environments.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill automatically sends stock-selection results to a Feishu recipient from an environment variable, with a hardcoded default recipient if none is provided. This creates undisclosed outbound data sharing, and the hardcoded fallback increases the risk of accidental leakage to an unintended party.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically writes a report file to disk after printing it, without any confirmation or clear indication that execution has side effects. In automation environments, silent persistence can leak sensitive trading data, overwrite files, or violate least-surprise expectations for a review/analyzer tool.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal