ClawHub

同花顺Level2数据接入

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill is not clearly malicious, but it includes high-impact, under-scoped methods such as administrator process-memory reading, protocol interception guidance, and proprietary client/server simulation.

Treat this as a Review install. Use only the ordinary local/API analysis parts after reading the code, use a dedicated low-privilege Tushare token, and avoid the memory-reading, packet-capture, MITM, debugger, shared-memory, and protocol-emulation workflows unless you have explicit authorization and understand what process data or traffic may be exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (68)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill advertises and documents capabilities that imply environment access, local file read/write, network connectivity, and shell execution, yet no explicit permissions are declared. This creates a dangerous transparency gap: users and the hosting platform cannot accurately evaluate or constrain what the skill may do before installation or execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
This is a substantial description-behavior mismatch: the skill is presented as a market data analysis tool, but the documented and detected behaviors include protocol reverse engineering, direct TCP communication with a vendor server, process memory scanning, reading unrelated local trading data, and generation of simulated data. That combination can mislead users into authorizing far more invasive behavior than expected, including actions associated with credential exposure, proprietary data access, and stealthy host inspection.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The README goes beyond legitimate stock analysis and documents reverse-engineering, process-memory reading, packet capture, and protocol simulation to obtain proprietary Level2 data. In this skill context, those capabilities materially expand from normal data consumption into techniques commonly used to bypass intended access controls, increasing abuse potential and legal/compliance risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The process-memory reading approach instructs users to locate another process and parse its memory to extract data, which is a powerful invasive capability unrelated to ordinary investment analysis. This can expose sensitive information from the target process, facilitate evasion of normal permission models, and create a path for misuse beyond the stated purpose.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Documenting protocol analysis, Wireshark capture, and simulated client behavior for a private financial data service enables reconstruction of proprietary network interactions and potential circumvention of authentication or service restrictions. In a stock-analysis skill, these are not necessary baseline capabilities and substantially increase the likelihood of unauthorized access or account abuse.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The README presents the tool as a practical data-access solution while acknowledging methods that may violate user agreements, normalizing risky acquisition techniques instead of treating them as prohibited. This framing lowers the barrier to misuse and can encourage unauthorized collection of paid or restricted financial data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation states that memory-reading functionality requires administrator privileges, which is a major escalation beyond ordinary stock analysis. Any feature that inspects process memory under elevated privileges can expose sensitive information from the host and materially increases the blast radius if the skill is abused or compromised.

Description-Behavior Mismatch

Low
Confidence
81% confidence
Finding
The top-level description emphasizes local data access and analysis, but the skill also includes a client that connects to a remote server. Even if not inherently malicious, this under-disclosure is security-relevant because users may assume the skill is offline/local-only and not expect outbound communications to third-party infrastructure.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script reads a TUSHARE_TOKEN from the environment and initializes a Tushare client, enabling outbound access to an external market-data service. In the context of a skill advertised as working with local Tonghuashun Level2 data, this is a capability mismatch that can cause unexpected network access and use of sensitive credentials, even if it is not overt credential theft.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The code presents itself as Tonghuashun Level2 advanced analysis but does not process local Tonghuashun or Level2 data; instead it performs ordinary daily-bar analysis via Tushare. This deceptive capability mismatch can mislead users into trusting outputs or approving execution under false assumptions about data provenance and sensitivity.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The printed banner and functionality claims tell the user they are receiving Tonghuashun Level2 analysis, while the actual code pulls daily data from Tushare. Misrepresentation of the active data source is a security-relevant trust issue because users may unknowingly permit external data access or rely on results that do not match the promised analysis depth.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The skill claims to operate on local 同花顺 Level2 data, but instead initializes an external Tushare client and depends on a network-retrieved data source. This hidden capability expansion increases trust risk, may transmit metadata off-host, and can cause users to grant credentials or network access they did not intend based on the manifest.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script does more than analyze local data definitions: it automatically generates reusable client code for a proprietary protocol and writes that code to disk. In the context of a stock-analysis skill, this expands the capability from passive analysis into operational protocol replication, which can enable unauthorized access patterns, reverse engineering, or downstream misuse beyond the declared purpose.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The `capture_tcp_stream` function explicitly supports traffic capture and describes MITM-style interception, including SSL certificate configuration for inspecting encrypted traffic. That capability is not necessary for ordinary investment analysis and materially increases risk by facilitating interception of proprietary data, credentials, session data, or other sensitive communications.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The top-level description frames the script as a protocol analysis utility, but the implementation also generates executable client request code, which is a materially more powerful behavior than disclosed. This mismatch is dangerous because it obscures the true operational capability of the skill and can mislead reviewers or users about the risk profile.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file embeds hardcoded portfolio holdings, including share counts and cost basis, and then fabricates analysis from seeded mock data instead of using the claimed Tonghuashun Level2/local data sources. In a financial-analysis skill, this is dangerous because it can expose sensitive investment information and produce materially misleading outputs while presenting them as legitimate analysis.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The code writes detailed analysis results to a predictable local JSON file beside the script without any user consent, access control, or sensitivity checks. In this skill context, those outputs may contain portfolio and trading-analysis data, creating unnecessary local data persistence and possible disclosure to other local users, processes, or backups.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The file advertises Level2/local data analysis but actually operates on hard-coded holdings and synthetic history generated by `_generate_mock_data()`. In an investment-analysis skill, this is dangerous because users may make portfolio decisions believing outputs are based on real market data when they are in fact fabricated, creating a high risk of financial harm through deceptive or inaccurate recommendations.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The code produces stock scores, signals, and action-oriented suggestions such as '积极关注' and '回避' from simulated inputs rather than verified market feeds. Because this is framed as technical analysis for holdings, the mismatch materially increases the chance that users will rely on false analytics for trading decisions, making it more serious than a mere quality defect.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The module documentation claims support for Level2-derived analytics, but the implementation never reads or processes real Level2 data. In this financial context, misleading capability claims can induce unsafe trust in the tool's outputs and conceal that conclusions are based on simulation rather than actual order-flow or market-depth information.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The example goes beyond normal Level2 data access and includes process-memory reading, TCP protocol reverse-engineering guidance, Wireshark capture instructions, x64dbg/IDA analysis, and administrator-privileged access to another process. That materially expands the skill from data analysis into invasive access techniques that could be reused to bypass vendor controls, extract proprietary data, or facilitate unauthorized access to a local application.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The file header describes the code as a general Level2 data retrieval example, but the implementation also covers process-memory access and reverse-engineering workflows. This mismatch can mislead users into running code or following guidance they would not expect from the description, reducing informed consent and obscuring the true security-sensitive behavior of the skill.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The code initializes a Tushare client and retrieves remote market data even though the skill description claims it works with 同花顺远航 local Level2 data. This mismatch is security-relevant because users may grant the skill access under incorrect assumptions about data locality, network use, and trust boundaries.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill reads an environment-stored API token and uses it to access a third-party market API, while the declared purpose suggests local 同花顺 data analysis. This is dangerous because it silently broadens the trust boundary to external services and may cause users to expose credentials and permit network activity they did not expect.

Description-Behavior Mismatch

Low
Confidence
82% confidence
Finding
Writing analysis output to a fixed local path without user approval can create unintended local data persistence and overwrite risks. In a skill context, silent writes are dangerous because they may leak sensitive analysis artifacts to predictable locations or interfere with existing files in the workspace.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal