ClawHub

Eastmoney Trading

Security checks across malware telemetry and agentic risk

Overview

This skill openly automates a real brokerage account, but it has enough high-impact trading, browser-session, third-party OCR, and persistent financial-data behavior that users should review it carefully before installing.

Install only if you intentionally want an agent to operate an Eastmoney brokerage account. Use a dedicated local browser profile, keep CDP bound to localhost, avoid the --confirm bypass for buy/sell/cancel, leave third-party OCR API keys unset unless you accept sending CAPTCHA images to that provider, and regularly delete generated logs/screenshots that may contain account balances, holdings, orders, or CAPTCHA images.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tainted flow: 'req' from os.environ.get (line 233, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
logger.info("正在调用大模型识别验证码...")
        
        with urllib.request.urlopen(req, timeout=30) as response:
            result = json.loads(response.read().decode('utf-8'))
            content = None
Confidence
95% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as response:

Tainted flow: 'version_url' from os.environ.get (line 378, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
ws_url = None
    try:
        version_url = cdp_url.rstrip('/') + '/json/version'
        with urllib.request.urlopen(version_url, timeout=5) as resp:
            version_data = json.loads(resp.read().decode())
            ws_url = version_data.get('webSocketDebuggerUrl', '')
            ws_url = ws_url.replace('ws://127.0.0.1/', f'ws://{host}:9222/')
Confidence
90% confidence
Finding
with urllib.request.urlopen(version_url, timeout=5) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes capabilities to read environment variables for brokerage credentials, write logs/screenshots to disk, and access networked trading and market data services, but it does not declare corresponding permissions. This creates a dangerous mismatch between what users may believe the skill can do and what it actually does, especially in a brokerage automation context involving real funds and highly sensitive financial data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill uploads captcha images from a brokerage login flow to an external LLM OCR service without an in-context disclosure or point-of-use confirmation. In a high-risk trading skill, silently sending authentication-related artifacts to a third party is especially sensitive because it may expose account login workflow data and weaken user expectations around credential handling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal