ClawHub

股票全面分析

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill is not clearly malicious, but it needs Review because it ships hardcoded API credentials, under-disclosed networked helper scripts, and presents simulated technical indicators as normal financial analysis.

Install only after reviewing the source. Treat its investment recommendations and technical indicators as unreliable unless the simulated-data path is removed or clearly labeled, rotate/remove the embedded Finnhub token, restrict any Longbridge token exposure, and expect stock symbols or market interests to be sent to third-party quote/news services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Tainted flow: 'url' from os.environ.get (line 109, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
try:
        url = f'https://finnhub.io/api/v1/quote?symbol={code}&token={FINNHUB_KEY}'
        r = requests.get(url, timeout=10).json()
        
        if r.get('c'):  # current price
            return {
Confidence
94% confidence
Finding
r = requests.get(url, timeout=10).json()

Lp3

Medium
Category
MCP Least Privilege
Confidence
76% confidence
Finding
The skill declares browser capability and required binaries, but the analysis indicates effective network and environment access beyond clearly declared permissions. This creates a transparency and trust problem: users and hosts may underestimate what the skill can access, especially in a finance-oriented skill that may process sensitive portfolio or market-related prompts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill description says Futu is the primary verified data source for stock analysis, but the implementation reportedly uses multiple other APIs, news scraping/sentiment, and debug/test scripts not disclosed to users. In a financial-analysis context, this mismatch is risky because users may rely on the provenance and scope of data when making investment decisions, while the actual behavior expands data collection and network exposure beyond expectations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The report presents technical-indicator analysis as if it were based on real market history, but the indicators are calculated from randomly fabricated price data. In a financial-analysis skill, this is dangerous because it can mislead users into making trading decisions on false quantitative signals while appearing authoritative and data-driven.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
Although comments admit the historical-price logic is only simulated for demonstration, the user-facing report still prints RSI, moving averages, and technical interpretations as normal analysis. This mismatch between internal comments and external presentation increases the risk of deceptive output and user reliance on invalid conclusions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list contains generic phrases such as 'report', '行情', and '港股' that are likely to match ordinary conversation and invoke the skill unintentionally. In a networked finance skill, accidental invocation can cause unexpected external requests, context leakage from user conversations, and confusing or misleading stock-analysis output when the user did not explicitly ask for it.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
A hardcoded Finnhub API token is embedded directly in source and sent in outbound requests. Secrets in code are easily exposed through source sharing, logs, backups, or repository history, enabling unauthorized reuse, quota exhaustion, billing abuse, or service suspension; in this finance-related skill, that can also disrupt availability and trust.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code embeds a live API token directly in source and sends it in outbound requests to a third-party service. Hardcoded secrets are easily exposed through source distribution, logs, or reuse in other contexts, and the user is not informed that external transmission occurs when the skill runs.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This request sends stock query parameters and usage metadata to an external API without any visible notice or consent flow. While the requested symbol is hardcoded here and not especially sensitive, undisclosed outbound network access in an agent skill creates privacy, compliance, and trust risks.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The recommendation endpoint is another undisclosed third-party call, increasing the amount of external data transmission during execution. Repeated hidden outbound requests can surprise users and may violate platform expectations or enterprise policies even when the payload is low sensitivity.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The file contains a hardcoded Finnhub API token directly in source code, which is a real secret-exposure issue. If this skill is shared, logged, indexed, or committed to version control, third parties can reuse the token to consume API quota, incur cost, or access associated account resources; in an agent skill context, embedded credentials are especially risky because skills are often distributed or inspected by others.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The script sends user-provided stock codes to external quote services without any disclosure or consent prompt. While stock tickers are not highly sensitive in isolation, in this skill context they can reveal user interests or holdings and create a quiet privacy leak to third parties.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script makes outbound requests to a third-party API using a bearer token without any user-facing disclosure or consent mechanism. In an agent-skill ecosystem, undisclosed network access can surprise operators, leak usage metadata, and bypass expectations about what data leaves the environment.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script accesses a sensitive credential from the environment but does not disclose that it consumes secrets from the host runtime. In shared or managed agent environments, undisclosed secret access is risky because operators may not realize the skill depends on or can use available credentials.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
A hardcoded API token embedded in source code is a real secret-management vulnerability because anyone with access to the file can extract and abuse the credential. This can lead to unauthorized API usage, quota exhaustion, billing impact, or service suspension, and the skill context increases risk because agent skills are often shared, logged, or deployed into environments where source exposure is plausible.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
84% confidence
Finding
The trigger '行情' is extremely short and ambiguous, increasing the chance of accidental invocation during normal discussion of markets or general conditions. Because the skill can perform external lookups, even low-friction accidental activation can expose conversational context to third-party services or produce unsolicited finance output.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
80% confidence
Finding
The trigger '持仓' is broad and may appear in ordinary portfolio or personal-finance conversation without an intent to invoke the skill. In context, that can cause accidental processing of potentially sensitive investment context and unnecessary outbound requests to market data providers.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
81% confidence
Finding
The trigger '港股' is too generic and can match casual discussion of Hong Kong equities rather than a deliberate request to invoke the skill. Since this skill is network-enabled and finance-focused, unintended activation could lead to unnecessary third-party requests and user confusion about why analysis began.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal