ClawHub

prana-cyf-20260327

Security checks across malware telemetry and agentic risk

Overview

This skill is a remote finance-news wrapper, but it under-discloses remote execution, raw server-output passthrough, and automatic plaintext API-key storage.

Review before installing. Running this sends your prompt to the default remote backend unless you override the base URL, may retrieve API credentials automatically, and may leave reusable credentials in config/api_key.txt. Proceed only if you trust that backend and are comfortable with raw server responses being shown directly; set PRANA_SKILL_NO_AUTO_API_KEY=1 and PRANA_SKILL_SKIP_WRITE_API_KEY=1 if you need tighter control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill declares no permissions, yet its documented behavior and referenced clients imply network access plus local environment/config/file handling. This hidden capability expansion weakens user and platform trust boundaries because an integrator may approve the skill for simple news display while it can also read local secrets and communicate with external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill's description says it provides real-time financial news crawling/display, but the implementation behavior includes invoking an external agent service, retrieving API credentials, reading local config/environment data, and polling remote execution endpoints. That mismatch is dangerous because it can trick users into running a wrapper that exfiltrates secrets or proxies sensitive prompts/results to third-party infrastructure unrelated to the stated news-monitoring function.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The client will unauthenticatedly fetch API credentials from a configured base URL and, unless disabled, persist them to config/api_key.txt on disk. This is dangerous because any attacker-controlled or misconfigured base URL can supply credentials that the client will trust and store, and local persistence increases the chance of credential leakage through filesystem access, backups, or accidental commits.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The packaged skill is presented as a real-time finance news crawler/UI, but this file is actually a thin client that forwards arbitrary user input to a remote Prana service for execution. That mismatch is dangerous because users may grant trust, credentials, or network access under false assumptions, while the real behavior depends on opaque remote logic outside the reviewed package.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code can automatically fetch API credentials from a remote service and persist them locally, which is a sensitive credential-management feature unrelated to the user-facing promise of market-news display. This expands the trust boundary and increases the chance of silent credential issuance, reuse, or leakage from disk if the package is run in shared or poorly secured environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
By default, the script will automatically fetch API credentials from a remote service and write them to config/api_key.txt without an interactive confirmation at the time of use. This is dangerous because it silently materializes secrets on disk, where they may be exposed through backups, repo commits, multi-user hosts, or weak filesystem permissions.

VirusTotal

No VirusTotal findings

View on VirusTotal