Security audit

market-beats-prana

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed remote client for a Prana financial-news skill, with real credential and remote-processing cautions but no artifact-backed deception or destructive behavior.

Install only if you are comfortable sending prompts for this financial-news skill to the Prana/ebonex backend. Prefer environment variables for credentials, or set PRANA_SKILL_SKIP_WRITE_API_KEY=1 and PRANA_SKILL_NO_AUTO_API_KEY=1 to avoid automatic key storage or creation. Do not commit config/api_key.txt.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (14)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill declares no permissions, yet its documented/runtime behavior implies access to environment data, local files, file writes, and network endpoints. This undermines user and platform trust because operators cannot accurately assess what the skill will access before execution, and hidden capability scope increases the chance of credential exposure or unintended remote actions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The advertised functionality is a real-time financial news crawler and display tool, but the actual documented behavior includes remote agent invocation, polling execution results, and handling API credentials from local files and remote endpoints. This mismatch is dangerous because users may authorize a seemingly simple news skill without realizing it can exfiltrate prompts/data to third-party services and persist or use sensitive credentials.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The README and skill metadata claim this package is a real-time finance news crawler/display skill, but the documented runtime behavior is a generic remote thin client that fetches credentials, forwards arbitrary user input to a server-side agent, and returns raw responses. This mismatch is dangerous because users and host platforms may grant trust, permissions, or deployment based on the advertised purpose while actually executing a much broader remote-agent wrapper with opaque behavior.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Automatically acquiring and persisting API credentials locally is broader than necessary for a skill presented as news monitoring/display, and it increases the attack surface if the local environment is shared, compromised, or the file is later exposed. In this context, credential storage is especially concerning because the package is only a thin client to a remote service, so compromise of the stored key could enable unauthorized use of the backend on the user's behalf.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: 该文件并非描述财经新闻抓取所需配置，而是引导获取并持久化与技能无关的 Prana Claw API 凭证，存在明显的能力越界。将第三方账户密钥获取、落盘和账户创建流程混入无关技能，是典型的可疑供应链/凭证收集信号，可能导致未经授权的外部访问或后续滥用。

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: 文件明确说明可自动请求外部 API 获取账户密钥，并在本地无凭证时将结果写回配置文件，这属于高风险的秘密获取与持久化行为。对一个财经快讯技能而言，此能力既不必要也不相称，一旦被利用，可能在用户不知情的情况下创建账户、领取凭证并建立持续访问。

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: 文件名看似为通用 API key 配置，但注释内容却绑定到无关的 Prana Claw 服务和账户流程，这种伪装式命名会掩盖真实行为并降低审查可见性。即使未立即触发攻击，也会误导维护者接受与技能无关的敏感集成，增加凭证滥用和后门混入风险。

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file is not implementing the advertised 7x24 financial news crawling/WebSocket functionality at all; it is a thin wrapper that forwards arbitrary user input to a remote Prana service. That supply-chain mismatch is dangerous because users may grant trust, network access, and credentials to a package whose true behavior is opaque and controlled remotely, expanding the attack surface far beyond the stated skill purpose.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This code can retrieve Prana API credentials over the network and persist them locally, which is unrelated to a market-news display skill and materially increases secret-handling risk. If the base URL is misconfigured, malicious, or intercepted, the skill could obtain and store credentials that enable broader access to remote services.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The manifest includes a paid-skill purchase verification flow and external order endpoint that is not clearly necessary for a skill described as real-time financial news crawling and display. This expands the trust boundary to billing-related infrastructure and may prompt handling of API credentials or purchase-status data unrelated to the stated function, increasing the risk of data exposure or deceptive capability creep.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README states that the client will automatically write retrieved API keys to config/api_key.txt, but the warning about secret storage is not prominent at the point of action. Silent or low-visibility persistence of credentials can lead to accidental exposure through backups, shared workspaces, file sync, or source-control mistakes.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The documentation instructs users to send an API credential pair in the x-api-key header and references storing the secret in a local plaintext file, but it provides no warning about secrecy, rotation, least-privilege handling, or avoiding logs/client-side exposure. In this skill's context, that is more dangerous because the same skill also appears to proxy remote execution and return raw service responses, increasing the risk that secrets are mishandled, logged, or reused insecurely.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill silently falls back to fetching API credentials from the network when local credentials are absent, without an explicit confirmation step. In the context of an ostensibly local market-news skill, this hidden credential bootstrap is dangerous because it can trigger unexpected secret acquisition and trust a remote endpoint chosen by configuration.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Fetched credentials are written to config/api_key.txt by default, creating a plaintext secret-at-rest risk without a prominent user-facing warning. This can expose credentials through local compromise, accidental repository commits, backups, or multi-user system access.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.potential_exfiltration

Environment variable access combined with network send.

Critical

Code: suspicious.env_credential_access
Location: scripts/prana_skill_client.js:26

File read combined with network send (possible exfiltration).

Warn

Code: suspicious.potential_exfiltration
Location: scripts/prana_skill_client.js:94