ClawHub

股票全面分析v3

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill is not destructive, but it embeds API credentials and can present simulated or placeholder financial analysis as actionable investment guidance.

Review carefully before installing. Treat generated investment recommendations as unreliable unless the simulated indicators and placeholder financial data are fixed or clearly labeled, and remove or rotate embedded API tokens before distribution or use. Expect stock symbols and request metadata to be sent to third-party financial/news services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Tainted flow: 'url' from os.environ.get (line 109, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
try:
        url = f'https://finnhub.io/api/v1/quote?symbol={code}&token={FINNHUB_KEY}'
        r = requests.get(url, timeout=10).json()
        
        if r.get('c'):  # current price
            return {
Confidence
94% confidence
Finding
r = requests.get(url, timeout=10).json()

Lp3

Medium
Category
MCP Least Privilege
Confidence
79% confidence
Finding
The skill metadata declares only browser capability, but the analysis indicates the implementation also uses environment access and network connectivity without corresponding permission disclosure. This creates a trust and review gap: users and platform controls may underestimate what the skill can access or transmit, increasing the risk of unintended data exposure or unreviewed external communications.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill's declared behavior materially differs from the reported implementation, including use of unexpected third-party sources, debugging/probing scripts, placeholder financial data, and simulated technical indicators. This is dangerous because users may rely on inaccurate or fabricated outputs for financial decisions, while hidden probing/debug behavior expands the attack surface and undermines informed consent about what the skill actually does.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The code explicitly generates simulated historical prices using random variation, then presents the resulting RSI and moving averages as if they were real technical analysis. In a stock-analysis skill, this is especially dangerous because users may make financial decisions based on fabricated indicators that are not labeled as synthetic or unavailable.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module and function documentation state that financial data is retrieved from Futu, but the implementation only builds a URL and returns placeholder values. In a stock-analysis skill, this can mislead downstream logic and users into believing reports are based on live financial data when they are actually incomplete or fabricated, creating integrity and trust risks in investment-related output.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill metadata promises Futu-backed financial-statement analysis, but this file does not fetch any real financial data. In the context of investment analysis, this mismatch is dangerous because users may rely on unsupported conclusions for financial decisions, making the integrity issue more serious than in a low-stakes domain.

Vague Triggers

Medium
Confidence
75% confidence
Finding
Broad trigger phrases can cause the skill to activate during ordinary finance discussion, leading to unintended browser use or external data retrieval without clear user intent. In a skill that reaches third-party market and news sources, accidental invocation increases privacy, consent, and reliability risks because the user may not expect external lookups to occur.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The description does not warn users that the skill performs third-party data retrieval and browser-based access. This is risky because users are not adequately informed that their queries may be sent to external services or that the browser may navigate to outside sites, which affects consent, privacy expectations, and safe operation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
A hardcoded API token embedded in source code is a genuine secret-management weakness. If the code is shared, logged, or published, third parties can reuse the token to consume the external service, potentially causing quota exhaustion, billing exposure, or account abuse; the lack of user disclosure also obscures outbound third-party data sharing.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script hardcodes a live Finnhub API token directly in source code and immediately uses it in outbound requests. Exposed credentials can be reused by anyone with access to the skill files, leading to unauthorized API consumption, quota exhaustion, billing abuse, and possible account compromise; in an agent skill context this is more dangerous because the code is intended to be distributed and run by others.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
A hardcoded API token embedded in source code is a real secret-handling vulnerability because anyone with access to the file can reuse the credential for unauthorized API calls, quota exhaustion, or account abuse. In an agent skill context, this is more dangerous because skills are often shared, logged, packaged, or inspected by others, increasing the likelihood of token disclosure beyond the original author.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
A hardcoded API token is embedded directly in source and used for outbound requests. This exposes the credential to anyone with code access, enables unauthorized reuse or quota theft, and makes credential rotation difficult; in an agent skill context, undisclosed external network calls also increase privacy and supply-chain risk.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
A hardcoded API token embedded in source code is a real secret-management vulnerability. If the code is shared, logged, or exposed through the skill package, third parties can reuse the token for unauthorized API calls, causing quota exhaustion, billing impact, or service abuse; the undisclosed outbound request also reduces user awareness of external data sharing.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill makes outbound requests to third-party quote services without any user disclosure, which can expose user-supplied stock symbols and usage patterns to external providers. In this skill context the transmitted data is not highly sensitive by default, so the impact is limited, but undisclosed external transmission is still a privacy and transparency issue.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code accesses an API credential from the environment and uses it for outbound requests without any disclosure or operator guidance. In a shared agent-skill environment, secret use should be explicit because it affects data governance, billing responsibility, and incident response if the credential is abused or leaked.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script silently consumes a bearer token from the environment and immediately uses it in outbound requests without any user confirmation, audit notice, or safeguards around where the credential is sent. In an agent-skill ecosystem, hidden credential use increases the chance of unauthorized external calls and makes secrets handling less transparent to operators.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
A hardcoded API token in source code is a real secret-management vulnerability because anyone with access to the code can reuse the credential for unauthorized API calls, quota exhaustion, or account abuse. In an agent skill context, this is more dangerous because skills may be shared, logged, or packaged broadly, increasing the likelihood of credential leakage.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The function sends a user-influenced stock symbol to an external Tencent market-data endpoint, which creates a privacy/transparency issue because user input is transmitted off-platform without explicit disclosure or consent handling. While the symbol itself is usually low-sensitivity data, it can still reveal user interests, trading research targets, or internal watchlists in some contexts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This module sends stock symbols and related query context to multiple third-party services (Futu and ai.6551.io) without any visible user consent, disclosure, or data-minimization controls. In an agent skill context, user requests may reveal trading interest or portfolio intent, so silent transmission to external providers creates a real privacy and data-governance risk even though it is not direct code execution or injection.

Ssd 3

Medium
Confidence
99% confidence
Finding
A hardcoded API token is present as the fallback value for FINNHUB_KEY. Hardcoded shared credentials are dangerous because they can be extracted from source, reused by unauthorized parties, incur billing abuse, and become difficult to rotate once distributed; here the risk is amplified because the token is also sent in the request URL.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
72% confidence
Finding
The trigger '港股' is so short and generic that it may match casual conversation and activate the skill unintentionally. Because this skill may perform browser access and external lookups, accidental activation can lead to unanticipated network activity and confusing or privacy-impacting behavior.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
72% confidence
Finding
The trigger '财报' is overly generic and may fire during normal discussion about earnings or reports, not only when the user intends to run the skill. In context, unintended activation matters because the skill can fetch external content and produce authoritative-seeming financial analysis without a clearly scoped request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal