ClawHub

Stock Monitor Pro

Security checks across malware telemetry and agentic risk

Overview

The stock monitor is mostly purpose-aligned, but it includes under-disclosed financial data handling and a helper that can send alerts to a hard-coded Feishu user through a shell command.

Review before installing. Edit or remove the bundled WATCHLIST before running, do not run cron_check.py unless you replace the Feishu user ID and remove shell=True, and assume AI analysis can send portfolio details such as cost basis and share count to third-party model providers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 使用 --account main 指定正确的飞书账户
        cmd = "openclaw message send --channel feishu --account main --target user:" + FEISHU_USER_ID + " --message \"" + message.replace('"', '\\"') + "\""
        
        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
97% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, encoding='utf-8', timeout=60, shell=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation advertises runtime behaviors implying shell execution, network access, and environment usage, yet no permissions are declared. This creates a transparency and trust boundary problem: users and platforms may approve a seemingly simple monitoring skill without understanding that it can invoke external services, run background scripts, and access local execution context.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose is stock monitoring, but the documentation expands behavior into news scraping, external AI calls, trading-signal generation, message delivery, and daemonized execution. This mismatch is dangerous because it hides materially different data flows and actions from users, making consent, review, and risk assessment incomplete.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The later documentation introduces AI advisory and trading-signal features beyond a passive monitor/alert role. That scope expansion increases operational and compliance risk because users may rely on hidden recommendation logic that was not declared in the primary manifest or description.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The example alerts include prescriptive investment recommendations such as holding, reducing positions, and watching for rebound opportunities, which goes beyond neutral monitoring. In context, this is more dangerous because the skill is presented as an alerting tool, so users may not expect or scrutinize embedded financial advice with the same care as a dedicated advisory product.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends stock holdings, pricing, alerts, and possibly news-derived context to third-party AI endpoints without any evident user-facing disclosure or consent flow. In a financial context, portfolio positions and cost basis are sensitive; undisclosed transmission can create privacy, compliance, and trust risks, especially when using external model providers.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file hard-codes sensitive portfolio information, including a named individual's holdings, cost basis, and position size. If the skill is shared, logged, version-controlled, or exposed to other agents/users, this leaks private financial data that could enable profiling, targeted social engineering, or unauthorized inference about the owner's assets.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal