ClawHub

财经监控

Security checks across malware telemetry and agentic risk

Overview

This finance-monitoring skill is mostly coherent, but it is preconfigured to send reports to a specific WeChat recipient that may not belong to the installer.

Install only after replacing the embedded WeChat target with your own user-scoped destination and requiring confirmation before each send. The market-data lookup portions appear purpose-aligned, but the hard-coded outbound channel should be reviewed and removed or reconfigured.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill documents both network access and shell execution but does not declare permissions, which weakens reviewability and informed consent. In this context, shell use is not merely incidental: the document explicitly instructs curl/grep-based retrieval, so the undeclared capability could enable unreviewed outbound access or command execution paths.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documentation instructs use of arbitrary shell commands to fetch market data, which exceeds the minimum capability needed for a quote-lookup skill and expands the attack surface. Once shell execution is normalized in the skill flow, user-controlled or future-modified inputs could be incorporated into commands, creating command-injection and uncontrolled network access risks.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill hard-codes a specific WeChat session as the message destination instead of requiring a user-selected target at runtime. That creates a built-in disclosure path where gathered content can be silently forwarded to a fixed external recipient, which is especially dangerous because the push is part of the documented workflow rather than an optional user-confirmed step.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Overly broad trigger phrases increase the chance of accidental activation, which in this skill can lead to unintended web access and possible external message pushing. Because the workflow includes downstream actions beyond simple local formatting, false triggers can cause privacy-impacting side effects rather than harmless replies.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs automatic pushing of reports to a fixed WeChat channel without a clear consent or warning step. In context, this is more dangerous because the destination is not merely external but prebound to a specific identity, making unreviewed disclosure of user-request-derived content the expected behavior.

Missing User Warnings

High
Confidence
99% confidence
Finding
The markdown exposes a bound push configuration containing a specific WeChat target and session without privacy safeguards. Embedding recipient identifiers directly in skill documentation materially increases the risk of unauthorized disclosure and makes the skill act like a hard-wired forwarding rule.

Ssd 3

High
Confidence
99% confidence
Finding
This is a clear natural-language data disclosure path: the skill instructs forwarding gathered content to a fixed external WeChat session. Even if the content is market data, user queries, timing, and any generated analysis are still user-associated outputs, and hard-coding the recipient removes meaningful user control over where that information goes.

Ssd 3

High
Confidence
99% confidence
Finding
The embedded command template always forwards report text to a specific WeChat identity, operationalizing exfiltration rather than merely describing a possible integration. The presence of both recipient identifiers and a ready-to-run send command makes the disclosure path concrete, repeatable, and difficult for end users to detect or override.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal