ClawHub

Stock Deep Dive

Security checks across malware telemetry and agentic risk

Overview

This stock research skill is mostly coherent, but it needs Review because its optional Twitter/X scanning asks users to reuse browser session tokens and exposes broad environment secrets to an external CLI.

Install only if you are comfortable with the external finance/news sources and local portfolio storage. Avoid enabling Twitter/X social scanning on a primary account; if you use it, protect .env like a password, never commit it, prefer a dedicated low-risk account, and review the bird CLI before giving it credentials or Full Disk Access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for category, query in searches:
                try:
                    env = os.environ.copy()
                    result = subprocess.run(
                        [bird_bin, "search", query, "-n", "15", "--json"],
                        capture_output=True, text=True, timeout=30, env=env
                    )
Confidence
93% confidence
Finding
result = subprocess.run( [bird_bin, "search", query, "-n", "15", "--json"], capture_output=True, text=True, timeout=30, env=env

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The Twitter scan goes beyond simple market-data collection by launching a separate CLI and giving it broad access to the process environment. In a skill/plugin context, that is risky because the external tool can access secrets unrelated to stock scanning and can perform actions the user did not explicitly approve.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description explicitly states that it saves reports to '/war-room/reports + Vercel', which implies deployment and external publishing behavior, but it does not warn the user that invoking the skill may publish generated content outside the local environment. This omission can lead to unintended disclosure of research outputs, sensitive internal analysis, or proprietary data if users trigger the workflow without understanding that publication is part of the default flow.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README instructs users to extract live Twitter/X session cookies (`AUTH_TOKEN` and `CT0`) from browser developer tools and place them into a local `.env` file. Session cookies are credentials, not normal API keys; encouraging manual extraction and storage without strong warnings or safer alternatives increases the risk of account takeover if the tokens are exposed through logs, shell history, backups, or accidental commits.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description is broad enough to trigger on many ordinary finance-related queries, which can cause the skill to activate outside a user's clear intent. That increases the chance of unnecessary data access, unexpected external calls, or persuasive financial output being injected into unrelated conversations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to place Twitter/X authentication secrets in a local .env file without warning about secure storage, scope, reuse risk, or exposure through logs, backups, or shared directories. Because these tokens enable account access, mishandling them could lead to credential theft or unauthorized use of the user's social media account.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation tells users to grant Terminal Full Disk Access and manually extract live X/Twitter session cookies, but it does not clearly warn that these are equivalent to account credentials and can enable account takeover if exposed. Combining elevated local access with browser-cookie harvesting materially increases the chance of credential theft, misuse, or accidental leakage into shell history, dotfiles, logs, or repos.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script silently runs an external Twitter/X CLI without clear user disclosure, which undermines informed consent in an agent skill context. Hidden subprocess behavior is dangerous because it may use local credentials or produce side effects beyond what a user expects from a 'scanner.'

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The script reads a local .env file and injects every key-value pair into the process environment without restriction, then later forwards that environment to an external CLI. This can expose secrets unnecessarily to child processes and broadens the blast radius if the external tool logs, crashes, or transmits environment data.

Ssd 3

High
Confidence
97% confidence
Finding
The file explicitly instructs users to collect live authentication tokens from browser cookies and store them locally as environment variables or in a .env file. Those tokens can often be replayed to impersonate the user on X/Twitter, so normalizing their manual extraction and local plaintext storage creates a direct credential-handling weakness with meaningful account-compromise risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal