ClawHub

stock trading agents

Security checks across malware telemetry and agentic risk

Overview

This is a coherent stock-analysis skill, but it needs review because it sends full analysis context to external services, can print model reasoning into logs, and may install a Python package during normal use.

Install only in an isolated Python environment, review or pin dependencies, and do not provide private portfolio, client, or confidential research data unless you are comfortable sending the generated context to DashScope and possibly DingTalk. Avoid background logging for sensitive runs, or disable/sanitize streamed reasoning output first. Treat recommendations as research assistance, not trading instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (37)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
            print("正在安装 fpdf2...")
            import subprocess
            subprocess.check_call([sys.executable, '-m', 'pip', 'install', 'fpdf2'])
            from fpdf import FPDF  # pyright: ignore[reportMissingModuleSource]
        
        # 获取中文字体路径
Confidence
97% confidence
Finding
subprocess.check_call([sys.executable, '-m', 'pip', 'install', 'fpdf2'])

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The implementation explicitly streams and prints model 'thinking' content to stdout even though comments imply only final text is retained. In an agent that processes trader reports and accumulated memory, chain-of-thought output can expose sensitive user data, inferred secrets, and internal reasoning into logs or consoles that may be collected centrally.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
NeutralRisk repeats the same unsafe pattern: it emits thinking content live to stdout despite documentation saying only text is kept. Because the memory includes prior prompts and responses, this can leak private report contents and intermediate reasoning to anyone with console or log access.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
ConservativeRisk also prints model thinking during streaming, contradicting the stated behavior and creating a disclosure channel. Since this agent analyzes potentially sensitive financial assessments, exposed reasoning may contain summarized source data or confidential strategy details.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
RiskFacilitator streams thinking content while coordinating the combined outputs of multiple agents, increasing the volume and sensitivity of leaked data. This is especially risky because the facilitator aggregates all three assessments, so one console leak may expose the full synthesized decision context.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill adds environment-modifying behavior by installing a Python package during execution, which is not necessary to safely perform stock diagnosis itself. This expands the capability of the script beyond analysis/report generation and creates a supply-chain and system integrity risk, especially when run with elevated privileges or in shared environments.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The fallback path in get_technical_indicators returns a hard-coded mock result with ts_code set to 000000.XX instead of the requested input symbol. In a trading-analysis skill, this can silently misattribute analysis to the wrong security and lead downstream agents or users to make decisions on fabricated or mismatched data, which is a meaningful integrity risk even if it is not code-execution or data-exfiltration.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill prominently promotes automatic generation of multiple reports and PDF output, but does not clearly warn upfront that it will write many artifacts to disk. In agent environments, undisclosed file creation can consume storage, overwrite prior outputs, or leave sensitive analytical data and API-derived content persisted longer than users expect.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation advertises real-time financial data integrations and API-backed operation without a clear disclosure that stock identifiers, prompts, report content, and possibly derived analysis may be sent to third-party services. This is a privacy and governance risk, especially in enterprise or regulated settings where outbound financial research or user-entered data may be sensitive.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The agent sends the full accumulated memory content to an external LLM endpoint, which may include analyst reports, risk discussions, and potentially sensitive user-provided financial data. In a trading-analysis skill, this increases risk because internal decision context and possibly confidential market or client information are transmitted off-box without any visible consent, disclosure, redaction, or data-minimization controls.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
该代理会将用户消息、系统提示词和内存中的对话内容发送到阿里云 DashScope 外部接口,但本文件中没有任何显式告知、同意门槛、脱敏或最小化传输措施。对于股票诊断场景,输入中很可能包含研究报告、持仓意图、内部分析或其他敏感业务数据,因此这属于真实的数据外传/隐私风险。

Missing User Warnings

Medium
Confidence
95% confidence
Finding
第二个研究员代理同样把系统提示和用户/上下文内容发送到外部 DashScope 端点,且代码未体现任何本地提示、权限确认或敏感内容约束。由于该模块用于多智能体股票分析,传输内容可能含有非公开研究结论和业务上下文,泄露面与前一个代理一致。

Missing User Warnings

Medium
Confidence
98% confidence
Finding
主持人代理不仅会向外部 LLM 发送用户输入,还会发送整段辩论历史和 analyst_reports 汇总,这扩大了数据暴露范围并增加敏感信息聚合泄露风险。聚合后的内容通常比单轮消息更有价值,可能包含多方观点、摘要和投资建议,因此在交易/研究场景下危险性更高。

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The agent is configured to send prompts to an external LLM endpoint at dashscope.aliyuncs.com, and later includes analyst reports and research debate text in those prompts. In a trading-analysis context, these inputs may contain proprietary research, market-sensitive data, or customer information, so transmitting them off-system without explicit disclosure or consent creates a real confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script can send generated stock recommendations and metadata to an external DingTalk webhook without presenting a clear consent prompt or data-transmission warning at send time. In agent or automated environments, this can cause unintended disclosure of analysis outputs to third-party endpoints, especially because the webhook may come from environment configuration rather than an obvious interactive choice.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The runtime pip installation occurs with only a generic status print and no meaningful consent, warning, or safety boundary, so users may not realize the skill will modify the system and access package infrastructure. In an agent setting, hidden or under-disclosed environment changes are more dangerous because they undermine operator expectations and make review and containment harder.

Ssd 3

High
Confidence
99% confidence
Finding
The streaming handler prints model 'thinking' content directly, which can reveal sensitive trader report data, prior memory, inferred confidential information, or unsafe internal reasoning in plain-language logs. In production, stdout is often captured by terminals, log aggregators, containers, and monitoring systems, expanding the disclosure blast radius.

Ssd 3

High
Confidence
99% confidence
Finding
NeutralRisk duplicates the same direct-thinking leak path, so any sensitive material included in the prompt or memory may be exposed during streaming. Because the agent keeps conversation state, leakage can include both current and historical context, making this more dangerous than a one-off prompt disclosure.

Ssd 3

High
Confidence
99% confidence
Finding
ConservativeRisk exposes model reasoning in real time, which may contain paraphrased confidential report details and internal judgments about risk. This is a real confidentiality issue, especially in a finance-oriented multi-agent system where outputs may contain market-sensitive or proprietary analysis.

Ssd 3

High
Confidence
99% confidence
Finding
The facilitator also prints reasoning content while aggregating multi-agent assessments, creating a compounded leak surface across all participants' inputs and outputs. In this skill context, that means a single logging sink may capture end-to-end analysis, recommendations, and derived internal reasoning from the entire decision pipeline.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# PDF生成
fpdf2>=2.8.0

python-dotenv
Confidence
92% confidence
Finding
python-dotenv

Unpinned Dependencies

Low
Category
Supply Chain
Content
# AgentScope股票诊断智能体系统依赖

# 智能体框架
agentscope>=0.0.5

# 数据接口
tushare>=1.2.89
Confidence
95% confidence
Finding
agentscope>=0.0.5

Unpinned Dependencies

Low
Category
Supply Chain
Content
agentscope>=0.0.5

# 数据接口
tushare>=1.2.89
akshare>=1.12.0

# 阿里云夸克搜索SDK
Confidence
93% confidence
Finding
tushare>=1.2.89

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 数据接口
tushare>=1.2.89
akshare>=1.12.0

# 阿里云夸克搜索SDK
alibabacloud_iqs20241111>=1.0.0
Confidence
93% confidence
Finding
akshare>=1.12.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
akshare>=1.12.0

# 阿里云夸克搜索SDK
alibabacloud_iqs20241111>=1.0.0
alibabacloud_tea_openapi>=0.3.0

# 基础依赖
Confidence
93% confidence
Finding
alibabacloud_iqs20241111>=1.0.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal