ClawHub

Quant Stock Picker Pro

Security checks across malware telemetry and agentic risk

Overview

This stock-screening skill mostly matches its stated purpose, but it needs review because it changes network proxy settings and imports code from a hard-coded local path outside the package.

Install only if you are comfortable with a finance tool that fetches external market and sentiment data and may be scheduled to run every weekday. Before use, remove the hard-coded sys.path entry, remove or make opt-in the proxy environment changes, choose your own output directory, and treat all stock picks as informational rather than investment advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises automated data collection, scheduled execution, and multiple external data sources, yet the metadata does not declare permissions for network or environment access. This creates a trust gap: users and the host platform cannot accurately assess what capabilities the skill will use, and hidden capability use can enable unintended data exfiltration or uncontrolled outbound requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is stock screening, but the referenced behavior extends to local file writes, undeclared third-party services, scraping, and additional ML/factor-mining components not disclosed to users. This mismatch is dangerous because it prevents informed consent and can mask privacy, integrity, and supply-chain risks behind a seemingly narrow finance tool.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script globally overrides proxy-related environment variables at startup, which can silently bypass enterprise egress controls, monitoring, or user-configured network routing for the current process and its children. In a skill context, this is dangerous because the user expects a stock screener, not code that alters network security posture before making external requests.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Injecting a hard-coded local directory at the front of sys.path allows imports to be resolved from an arbitrary filesystem location outside the skill package, enabling module hijacking if that path is writable or compromised. Because the script then imports trusted-looking module names from that path, an attacker could achieve arbitrary code execution under the agent's privileges.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are generic investment terms such as '推荐股票' and '今天买什么', which are likely to activate during ordinary financial discussion without clear user intent to invoke this specific skill. Overbroad invocation can cause unexpected execution, unnecessary network activity, and unrequested investment recommendations in sensitive contexts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Writing a CSV report to a fixed absolute path without user confirmation can cause unintended persistent storage of potentially sensitive analysis results and may overwrite files or fail unpredictably depending on host layout. In an agent skill, silent disk writes are more concerning because users may not expect local filesystem side effects from a screening request.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script performs external HTTP requests and later additional news/social sentiment collection without clearly informing the user, creating undisclosed network egress and potential data-sharing with third parties. This is especially risky here because the code also disables proxies, which can further reduce visibility and policy enforcement around those outbound requests.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal