ClawHub

同花顺 iFinD 接入 Skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears built for legitimate iFinD financial queries, but it needs review because it stores sensitive financial API tokens and can send token-backed requests or query text outside tightly scoped paths.

Review before installing. Use this only if you are comfortable giving the agent an iFinD refresh_token that will be cached locally; avoid pasting tokens into shared chats or logs, do not override --base-url unless you control the endpoint, prefer named endpoints over raw api-call, and leave LLM routing disabled unless you accept sending query text to the configured model provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation indicates capabilities involving environment variables, file access, and network use, but it does not declare corresponding permissions. This weakens transparency and security review because operators cannot accurately assess what the skill may access or transmit, especially since it handles authentication tokens and external API calls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as an iFinD-only authenticated financial data tool, but it also supports sending user queries to an OpenAI-compatible external service for routing and performs token-management operations. This mismatch can mislead users and reviewers about where data goes and what the skill does, creating privacy and trust risks if sensitive financial queries are transmitted to third parties unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The optional OpenAI-compatible routing path introduces a third-party data flow unrelated to the stated constraint that data should come only from iFinD after authentication. Even if used only for routing, user query text may contain sensitive investment interests, account-related context, or proprietary research prompts, which would be exposed to an external provider.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The router sends raw user queries to an external OpenAI-compatible endpoint for intent classification, which means user inputs leave the iFinD-only trust boundary described by the skill metadata. In a financial-data skill, queries may contain sensitive watchlists, investment interests, or internal research prompts, so this is a real data-exposure and architecture-mismatch issue even if used only for routing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The optional LLM-routing section instructs operators how to enable a third-party OpenAI-compatible API but does not warn users that their query content may leave the iFinD-only processing path. This lack of notice undermines informed consent and can lead to unintentional disclosure of sensitive financial queries or internal research requests.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The default prompt defines a very broad trigger condition for financial-data requests and mandates use of this skill whenever iFinD-capable data is relevant. This can cause unintended activation, leading the agent to steer users into authentication/token-handling flows and restrictive data-source behavior even when the user did not explicitly choose this integration.

Natural-Language Policy Violations

Medium
Confidence
71% confidence
Finding
The prompt is written to force a Chinese-language/locale-specific interaction pattern and terminology correction behavior without checking the user's preferred language or locale. While not directly enabling code execution or data exfiltration, this can cause user confusion, misinterpretation of financial entities, and unsafe workflow assumptions during sensitive authentication guidance.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example instructs users to export an API key for optional LLM routing, but it does not warn that queries and related financial data may be sent to an external model provider or advise on secure handling of the credential. In a financial-data skill, this increases the risk of unintended credential exposure and unauthorized transmission of potentially sensitive prompts or market research context to a third party.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The routing examples for latest-price queries include very short everyday phrases such as '最新价', '现价', and '行情', which are broad enough to match many finance-related requests that may not actually be asking for a real-time quote. In an agent setting, overly broad triggers can cause the wrong tool or endpoint to be invoked, leading to misleading outputs, unintended authenticated data access, or bypass of more appropriate disambiguation steps.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The index snapshot route is triggered by vague phrases like '看一下大盘' and '看盘面' without clear boundaries excluding broader market commentary, sector heatmaps, or multi-step analysis requests. That ambiguity increases the chance of misrouting user intent to a simple snapshot endpoint, producing incomplete or incorrect results while still consuming authenticated market-data capabilities.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The fundamentals route uses broad trigger words like '基本面', '财务', and '估值', which can overlap with many distinct financial tasks such as screening, forecast analysis, reports, or narrative research. In this skill, that creates a real risk of routing heterogeneous requests into a fixed `/smart_stock_picking` template set that may not match the user's actual need, causing erroneous financial answers under the authority of a trusted authenticated data source.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to send a live iFinD refresh_token to the agent and says it will be cached, but it does not clearly warn that this token is a sensitive credential equivalent to delegated account access. In an agent setting, sending bearer-like secrets through chat or storing them without explicit handling guarantees increases the risk of credential theft, unintended retention, logging exposure, or later misuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document allows routing user queries to an OpenAI-compatible external service but does not disclose to end users that their query content may leave the local environment and be processed by a third party. For financial workflows, queries can contain portfolio interests, trading intent, or proprietary research topics, so undisclosed transmission creates privacy, compliance, and confidentiality risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code posts the user's raw query to an external API without any indication of consent, notice, or redaction. Because financial queries can contain sensitive business context or personally attributable investing activity, undisclosed transmission creates a privacy and compliance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code persists a TokenBundle to disk as JSON with no encryption, permission hardening, expiry handling, or user disclosure. Because this skill handles authenticated financial-data access, any local user, process, backup system, or misconfigured filesystem that can read the file may obtain reusable credentials and access iFinD on the user's behalf.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal