ClawHub

Finance Radar

Security checks across malware telemetry and agentic risk

Overview

Finance Radar is mostly a disclosed market-analysis skill, but it can silently install software at runtime and its billing helper can charge by default without a strong confirmation gate.

Review before installing. Only use this skill where runtime pip installs are allowed or preinstall yfinance yourself, and do not provide SKILLPAY_API_KEY unless you are comfortable with the billing helper being able to charge a SkillPay account. Require manual approval before billing commands and avoid storing real portfolio data unless local workspace persistence is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (23)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return yfinance
    except ImportError:
        import subprocess
        subprocess.check_call([sys.executable, "-m", "pip", "install", "yfinance", "-q"])
        import yfinance
        return yfinance
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "yfinance", "-q"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import yfinance; return yfinance
    except ImportError:
        import subprocess
        subprocess.check_call([sys.executable, "-m", "pip", "install", "yfinance", "-q"])
        import yfinance; return yfinance
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "yfinance", "-q"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import yfinance; return yfinance
    except ImportError:
        import subprocess
        subprocess.check_call([sys.executable, "-m", "pip", "install", "yfinance", "-q"])
        import yfinance; return yfinance
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "yfinance", "-q"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import yfinance; return yfinance
    except ImportError:
        import subprocess
        subprocess.check_call([sys.executable, "-m", "pip", "install", "yfinance", "-q"])
        import yfinance; return yfinance
Confidence
93% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "yfinance", "-q"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import yfinance; return yfinance
    except ImportError:
        import subprocess
        subprocess.check_call([sys.executable, "-m", "pip", "install", "yfinance", "-q"])
        import yfinance; return yfinance
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "yfinance", "-q"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import yfinance; return yfinance
    except ImportError:
        import subprocess
        subprocess.check_call([sys.executable, "-m", "pip", "install", "yfinance", "-q"])
        import yfinance; return yfinance
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "yfinance", "-q"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import yfinance; return yfinance
    except ImportError:
        import subprocess
        subprocess.check_call([sys.executable, "-m", "pip", "install", "yfinance", "-q"])
        import yfinance; return yfinance
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "yfinance", "-q"])

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Installing a Python package on demand is unnecessary for a normal finance analysis skill and causes unreviewed third-party code to be fetched and executed in the runtime environment. In this context, the skill only needs market data retrieval, so hidden dependency installation makes the behavior more dangerous, not less, because it can modify the host and pull code from external repositories unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Installing a Python package during execution adds software to the environment beyond the expected analysis operation and does so implicitly. In an agent skill context, this is more dangerous because the skill may run in shared or sensitive environments where unapproved package installation can alter behavior, introduce malicious code, or violate platform security assumptions.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Installing a Python package during normal skill execution is outside the expected behavior of a finance analysis tool and expands the attack surface beyond data retrieval and analysis. In this context, the skill has no legitimate need to alter the host environment at runtime, so the finance-skill context makes the behavior more suspicious and more dangerous from a platform-security perspective.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Automatically installing a package during execution gives the skill environment-modifying capability that is unrelated to the user's direct stock-scoring request. In an agent context, this is more dangerous because the skill may run with broad environment permissions and the user may not expect package installation or network access as a side effect.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The helper function is designed to alter the execution environment by installing a missing dependency on demand, which is outside the expected behavior of a watchlist/alert script. In the context of an agent skill, this is more dangerous because the host may execute skills automatically, so a seemingly harmless finance command can trigger network access, package retrieval, and code execution from external sources.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation description is broad and overlaps many common finance-related user intents, including vague phrases like spotting rumors, early signals, and trending assets. Overbroad triggers can cause the agent to select this skill unexpectedly, leading to unnecessary external requests or paid invocations when a user only wanted general discussion rather than execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Although the file mentions charges in the title text, the operational description and command workflow do not present a strong, user-facing warning that invocation may trigger external billing on each call. In practice this can cause unauthorized or surprising charges, especially because the documented workflow places billing as step 1 before command execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script silently installs software without any user-facing warning or confirmation, which violates least surprise and can lead to unauthorized changes in the execution environment. Because `pip install` can execute package build/install hooks and reach external networks, silent installation creates a meaningful integrity and supply-chain risk.

Missing User Warnings

High
Confidence
95% confidence
Finding
The CLI defaults to performing a charge operation when run, which can trigger real billing without an explicit confirmation step or clear user-facing warning. In a paid finance skill context, this creates a concrete risk of unintended charges from accidental invocation, automation mistakes, or wrapper code calling the script without understanding the default behavior.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The code sends user identifiers, billing amounts, and API key-authenticated requests to an external billing service, but there is no visible disclosure, consent handling, or data minimization in this file. While remote billing is expected for this skill, the lack of transparent notice and governance increases privacy and compliance risk if users are unaware their identifiers and payment-related data are being transmitted off-platform.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Automatically installing a package without any user-facing warning or consent is unsafe because it performs a network-dependent, environment-modifying action implicitly during normal execution. In an agent skill context, this can surprise operators, bypass change-control expectations, and expand the blast radius of dependency-confusion or malicious package compromise.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script installs a package via subprocess without user warning, confirmation, or policy gating, so invoking a stock scanner can unexpectedly trigger code download and execution paths. That hidden side effect is unsafe because users and operators may believe they are running a read-only analysis tool when it is actually changing the system and trusting external package infrastructure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Silently installing a package through subprocess with no disclosure or consent is unsafe because it performs a privileged environment modification and executes unreviewed dependency code as a side effect of normal use. In an agent skill context, this is more dangerous because users may not expect tool invocation to alter their Python environment or reach out to external package repositories.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill performs automatic pip installation without warning, confirmation, or administrative control. This is dangerous because it silently changes the execution environment, may trigger unexpected network access and code execution, and prevents users/operators from making an informed trust decision.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script installs software without warning or confirmation, so users and calling agents are not informed that execution will change the system state and contact package repositories. Silent installation reduces transparency and can violate least surprise, security policies, or compliance expectations in shared or production environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The package installation happens silently and without any user-facing warning, confirmation, or audit prompt, which undermines transparency and consent for a security-sensitive action. Even if the dependency is legitimate, silent installation can surprise operators, bypass operational controls, and make supply-chain compromise or unintended environment drift harder to detect.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal