ClawHub

Stock Selecter

Security checks across malware telemetry and agentic risk

Overview

The stock-screening skill is broadly coherent, but it needs Review because it sends the Tushare token over plain HTTP and one strategy appears to mislabel company repurchase data as shareholder or manager buying signals.

Install only if you are comfortable providing a Tushare token to this package and accepting local result-file creation by default. Treat the shareholder_buyback strategy with particular caution because it appears to rank company repurchase records as if they were shareholder or manager buying. Prefer setting save=false or an explicit output_dir, and avoid using the package until the API transport is HTTPS or otherwise secured.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Low
Confidence
82% confidence
Finding
The skill writes JSON/CSV and optionally HTML results to local disk by default, which creates persistent artifacts outside the core screening function. In an agent environment, silent file writes can expose sensitive prompts, derived results, or operational metadata to other local users/processes and may violate least-surprise expectations.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The helper functions save_json_data() and load_json_data() perform arbitrary filesystem writes and reads using caller-supplied paths, even though this utility file is described as a stock data access library. In an agent setting, generic file I/O primitives broaden the skill's capabilities beyond its stated purpose and can enable unintended access to local data or overwriting files if exposed to untrusted inputs.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file claims a security fix while setting the API endpoint to plain HTTP, which causes the Tushare token and request data to be transmitted without transport encryption. Anyone able to observe network traffic on the path could capture the token or tamper with responses, making this especially risky for a tool that automatically retrieves external financial data.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The code explicitly documents that it is using Tushare's repurchase interface, which represents company stock buybacks, not shareholder or management increases. Despite that, the strategy labels, filters, and scores the data as if it were insider/shareholder accumulation, which can systematically mislead users into making investment decisions on a false premise.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implemented behavior does not match the advertised skill purpose: it screens repurchase records while presenting results as shareholder/high-management增持 signals. In a stock-selection skill, this mismatch is particularly dangerous because users may trust the strategy taxonomy and rankings, causing financially consequential decisions based on materially incorrect signal interpretation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents report generation and automatic saving but does not clearly warn that execution writes files to disk by default. Silent persistence can expose sensitive outputs, overwrite existing data, or leave artifacts on shared systems without informed user consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Hardcoding automatic output to a specific external-drive path increases the risk of unintended data disclosure, especially on shared or removable storage. Users may not realize results are being persisted outside the current workspace, where access controls and backup/sync behavior may differ.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The public execute() entrypoint defaults save=True, causing automatic file persistence without an explicit opt-in at the API boundary. In agent workflows this is more dangerous than a pure CLI tool because upstream callers may invoke the skill programmatically and unintentionally leave sensitive output on disk, including generated reports and metadata.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal