Justice Plutus

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The artifacts describe a coherent local stock-analysis runner, with the main cautions being its use of user-supplied API/provider credentials, reliance on a local JusticePlutus installation, and optional outbound notifications.

Use this only with a trusted local JusticePlutus repository or virtual environment. Provide only the API keys or cookies needed for the mode you run, and enable --notify only after confirming the destination webhook or chat channel.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse

Medium

What this means

These credentials may allow the local pipeline to call third-party services or access configured provider accounts under the user's authority.

Why it was flagged

The skill discloses use of LLM keys and optional provider cookies/tokens/webhooks for its analysis and enhancement features.

Skill content

at least one usable LLM key path such as: `OPENAI_API_KEY` ... `WENCAI_COOKIE` ... `HSCLOUD_AUTH_TOKEN` ... `IFIND_REFRESH_TOKEN` ... `FEISHU_WEBHOOK_URL`

Recommendation

Set only the credentials needed for the specific mode being used, prefer scoped or easily rotated tokens, and remove optional cookies/tokens when not using those enhancements.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Running the skill executes code from the local JusticePlutus installation or Python environment.

Why it was flagged

The included wrapper delegates the main work to a local Python module rather than containing the full analysis implementation in the skill artifacts.

Skill content

"$python_cmd" -m justice_plutus "$@"

Recommendation

Use it from a trusted checkout or virtual environment, and review or update the local JusticePlutus repository before providing credentials.

#ASI07: Insecure Inter-Agent Communication

Low

What this means

If notification mode is used, generated results may be sent outside the local machine to the configured chat or webhook destination.

Why it was flagged

The artifacts disclose outbound notification channels and gate them behind the --notify option.

Skill content

notifications to configured channels, including Feishu and Telegram ... notifications are optional and only fire when channels are configured and `--notify` is used

Recommendation

Verify webhook URLs and channel membership before using --notify, especially if reports may contain private research or account-specific information.