ClawHub

通达信TDX股票查询技能

Security checks across malware telemetry and agentic risk

Overview

The inspected skill is a straightforward stock technical-analysis script that fetches market data, with no validated evidence of hidden task-control or storage behavior.

Install only if you are comfortable running local Python code that contacts yfinance/Yahoo to retrieve ticker data. Treat generated buy/sell signals as educational technical-analysis output, not professional financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is described as a stock-query capability, but it also exposes remote task creation, task inspection, and task cancellation operations. This broadens the capability from read-only querying into state-changing backend control, which can be abused to launch unwanted jobs, interfere with existing workflows, or consume remote resources if the skill is callable by untrusted prompts or users.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The task-creation APIs accept filesystem/storage-related parameters such as `dir` and trigger backend ingestion jobs. In an agent context, this is more dangerous than ordinary stock lookup because user-influenced inputs can cause remote writes, large data pulls, or misuse of backend storage paths, potentially leading to resource exhaustion or unsafe file placement on the backend service.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises creation of data-ingestion tasks and task control operations, but it does not clearly warn users that these calls trigger remote state changes and asynchronous backend processing. In an agent/tooling context, this can cause unintended writes, resource consumption, or operational side effects if the skill is invoked based only on a user asking for stock information.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The README instructs users to configure an external TDX_API_URL and use the skill over the network, but it does not disclose that stock codes, query parameters, and possibly usage patterns will be sent to a remote service. This weakens informed consent and can increase privacy, trust, and supply-chain risk, especially if an agent automatically uses the configured endpoint.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger description says the skill should be used whenever users ask stock-related questions, which is broad enough to overlap with ordinary conversational or analytical requests. Over-broad routing can cause the agent to invoke networked actions unexpectedly, sending user queries or derived stock symbols to external APIs without clear user intent. The skill context increases risk because it is not a purely local helper; it can perform remote lookups and potentially task-creation operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises APIs that create background data-ingestion tasks and write to local directories, but the documentation does not prominently warn that these operations consume disk, bandwidth, and possibly long-running compute. In an agent setting, this can lead to unexpected local persistence or resource exhaustion if invoked casually or through ambiguous prompts. The context makes this more dangerous because the skill mixes harmless read-only market queries with state-changing file-writing operations under the same interface.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
These methods can submit remote ingestion/storage jobs without any explicit warning, confirmation, or privilege boundary. In an agent environment, hidden side effects are risky because a seemingly informational request can trigger backend writes, long-running processing, or quota consumption without the operator realizing it.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The trade-ingestion task submission endpoint can initiate potentially expensive backend work and write output to storage, yet the skill presents it as a normal callable method without explicit operator warning. This increases the chance of unintended job execution, resource abuse, or misuse of backend processing capacity.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal