ClawHub

Fund Knowledge Query

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed API-backed fund knowledge tool, with expected network calls and API-key use, but users should understand it stores the service key in a local .env file.

Install only if you are comfortable using the XiaoBenYang service and storing its API key in a local plaintext .env file. Avoid entering highly sensitive investment or research queries unless you trust the upstream API provider and its data handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The module persists an API key to a local .env file even though the stated skill purpose is fund-knowledge querying, not credential management. Storing secrets in plaintext on disk increases the chance of accidental disclosure through source control, backups, logs, or other local users/processes, and expands the skill’s capability beyond its declared scope.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The file includes local credential write/update logic that is not clearly justified by a read-only knowledge-query service. Scope expansion like this is risky because users may grant trust based on the manifest while the code also handles and stores credentials, increasing exposure if the host environment is shared or compromised.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill metadata describes a fund knowledge query/retrieval service, but this file exposes a stock search capability that broadens the effective scope of data access and user expectations. Scope drift is dangerous because users or integrators may rely on the manifest for trust decisions, while the implementation silently enables adjacent financial-data lookups not clearly disclosed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to solicit an API key from the user and persist it via `set_api_key` without any warning, scope limitation, storage details, or consent language. This is dangerous because it normalizes secret collection and local persistence, increasing the risk of credential leakage, reuse across sessions, accidental disclosure, or insecure storage in plaintext configuration files.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code writes API keys to .env without any user-facing warning or consent flow about plaintext credential storage. This is dangerous because users may assume temporary in-memory use, while the application silently creates a persistent secret artifact that can be leaked or committed inadvertently.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
This wrapper sends user-provided content to an external API via call_api, but the file shows no user-facing notice, consent mechanism, or data-handling disclosure. That creates a privacy and transparency risk because users may not realize their input is transmitted off-box to a remote service.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The knowledge-query wrapper forwards search terms and paging parameters to an external API without any visible disclosure in this file. In a knowledge-retrieval skill, hidden outbound transmission increases privacy and compliance risk, especially if queries can contain sensitive financial interests or internal research topics.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The stock search function transmits user search terms to an external API, again without visible disclosure. Because stock queries can reveal investment intent or sensitive research activity, undisclosed transmission to third parties can materially affect user privacy and trust.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal