ClawHub

F-AI 资讯搜索

Security checks across malware telemetry and agentic risk

Overview

The skill’s finance news and quote behavior is mostly coherent, but it asks agents to use a Finloop session cookie without clear consent, scoping, or credential-handling safeguards.

Install only if you trust the Finloop package and are comfortable sending finance queries and tickers to the listed Finloop endpoints. Do not paste or expose an sl-session cookie unless you understand which account it belongs to and why the specific request needs it; prefer a scoped or temporary credential if available. Treat returned market data and rankings as informational and verify important financial decisions elsewhere.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (19)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to attach authentication cookies such as `sl-session` to requests for the AI hot-news API, but it does not define any user-consent, scoping, storage, or credential-handling safeguards. This creates a real risk of unnecessary credential disclosure to an external service and can cause authenticated user context to be used without clear authorization boundaries.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to send a session cookie (`sl-session`) to an external service, but provides no manifest, scope restriction, or user-consent boundary explaining why credentialed access is necessary. This creates a real risk of credential leakage or unintended authenticated requests to a third-party endpoint, especially because the skill also encourages direct raw HTTP calls.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger phrases for search/news scenarios are broad enough to overlap with ordinary conversation, making it easier for the skill to activate and send user text to external APIs unintentionally. In a skill that performs outbound requests, overbroad activation increases the chance of unintended data transmission and action without sufficiently clear user intent.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The stock-quote scenario includes a broad catch-all for 'other similar' pricing questions, which can cause ambiguous user messages to trigger outbound market-data queries. Because the skill transmits extracted identifiers and may infer symbols from names, weak trigger boundaries increase the risk of unintended external requests and mistaken symbol resolution.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill tells the agent to use cookie-based authentication for an external endpoint but does not warn the user that authenticated context or session data may be sent off-platform. This is dangerous because users may not realize their credentials or account-scoped access are being reused for third-party calls, creating privacy and session-handling risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The automated workflow mandates multiple external requests, including parallel detail fetches, without informing the user that their query context and possibly authentication data may be transmitted repeatedly to an outside service. The bulk/parallel nature increases exposure surface and amplifies privacy impact if credentials or sensitive prompts are included.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger definition uses broad catch-all language like 'other similar queries', which can cause the skill to activate on ambiguous or unrelated requests. In an agent setting, overbroad routing can lead to unintended API calls, incorrect handling paths, and user confusion, especially when financial content is involved.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The 'today's AI hot news' scenario expands matching with vague 'similar questions' wording, leaving no clear boundary for activation. This makes it easier for normal AI-news-related conversation to be misrouted into a forced multi-step workflow that fetches all detail records.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The market-session scenario uses a broad 'other similar related questions' trigger, which can unintentionally capture general finance questions. Because the endpoint auto-selects content based on server time, accidental invocation may produce irrelevant or misleading answers for the user's actual intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The fund-ranking scene includes a vague fallback for 'other similar fund ranking queries' without operational limits. This can over-trigger on general fund discussion and cause unintended ranking retrievals in contexts where the user did not request leaderboard-style output.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The stock-ranking scene uses similarly broad fallback wording, increasing overlap with ordinary stock inquiries. In a financial assistant, this can produce unintended ranked recommendations or summaries instead of answering the user's actual ticker-specific or informational question.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The category-and-quantity news scene extends to 'other similar' requests without defining the grammar or required slots. That ambiguity can lead to brittle parsing, mistaken category selection, or excessive retrieval behavior when the user wording is only loosely related.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The search-news scene treats 'other similar keyword search queries' as sufficient for activation, which is too open-ended. This can convert ordinary mention of a topic into a backend search request, increasing unintended data access and degrading predictability of skill behavior.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The pagination scene allows activation on broad 'load more' style wording without clearly requiring prior query context. That can cause the skill to reuse stale or missing state, fetch unintended continuation data, or fail unpredictably when no prior result set exists.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The stock-quote scene includes highly generic wording such as 'a stock's quote/price/change', which can match a wide range of casual financial discussion. In this context, over-triggering is more dangerous because the skill may perform market data lookups and symbol conversion based on underspecified or ambiguous company names.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs the caller to include an `sl-session` cookie for authentication but provides no safeguards around credential handling, minimization, storage, or user consent. In agent environments, this can normalize passing session tokens into tool calls and risks credential leakage, unauthorized reuse, or privacy violations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The general notes repeat the requirement to carry an `sl-session` cookie but still omit any warning about treating it as a sensitive credential. Repetition without safeguards increases the chance that implementers will hardcode, forward, or mishandle session material across requests or logs.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description says the skill should be used whenever Finloop news-related APIs are needed, but it does not define clear invocation boundaries, constraints, or disallowed contexts. In an agentic system, this broad activation language can cause over-triggering or unintended API use, which may expand the skill's operational scope beyond what the user intended.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs credentialed requests using cookie authentication without warning the user that session information may be transmitted to an external service. This is dangerous because it normalizes silent authenticated outbound requests and can expose user session context or private account-scoped data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal