ClawHub

finstep-mcp

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed financial-data API wrapper, with credential-handling and broad lookup features users should understand before installing.

Install only if you trust Finstep with your financial lookup queries and API signature. Store FINSTEP_SIGNATURE as a secret, do not hardcode or share it, rotate it if exposed, and avoid using the URL parsing or broad web search helpers for confidential or internal content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly instructs users to execute local shell scripts (`bash scripts/*.sh`) and requires a secret environment variable, yet it declares no permissions. This creates a capability/permission mismatch that can bypass governance expectations, making it easier for an agent or reviewer to underestimate that the skill performs code execution and outbound network access.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill exposes a generic `url_parse` capability that can fetch and parse arbitrary user-supplied URLs, which extends beyond the manifest’s stated financial-data scope. In an agent context, this broadens the attack surface to SSRF-style access, unintended retrieval of internal or sensitive endpoints, and exfiltration of fetched content to the external MCP service.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README tells users to export a long-lived API signature credential but provides no guidance on secure handling, such as avoiding shell history leakage, not hardcoding it in scripts, and rotating it if exposed. In an agent skill context, operators may copy this value into insecure environments, logs, or shared configuration, increasing the chance of credential disclosure and unauthorized API use.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger description is very broad, covering essentially any user request about quotes, sectors, company financials, macro data, research, or announcements. Overbroad routing can cause the skill to activate in unintended contexts, increasing the chance of unnecessary external API calls, secret use, and shell-script execution when a simpler or safer response would suffice.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The authentication signature is placed in the query string, which is commonly logged by proxies, gateways, browser/history tooling, observability systems, and server access logs. Even over HTTPS, query parameters are more likely to leak operationally than headers or POST bodies, so exposure of this signature could enable unauthorized use of the backend service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script sends the FINSTEP_SIGNATURE credential in the URL query string when calling the remote API. Query-string secrets are commonly exposed via logs, proxies, browser/history tooling, process inspection, and upstream infrastructure, which increases the chance of credential leakage beyond the intended recipient.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description advertises very broad trigger conditions covering generic finance-related requests such as stock quotes, sector moves, company financials, macro data, and research/news. In an agent ecosystem, this can cause over-selection of the skill for many unrelated or only partially related user queries, increasing unnecessary exposure of the required secret-backed external service and creating opportunities for data overreach or unintended tool invocation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal