Security audit

jun-invest-option-master (DEPRECATED)

Security checks across malware telemetry and agentic risk

Overview

The package is labeled as deprecated, but it still contains active installation, update, registration, git-hook, scheduled publishing, and account-linking workflows that need careful review.

Treat this as an active agent workspace, not a harmless deprecated stub. Before installing, review the scripts and avoid auto-install unless you explicitly want local workspace changes, git hooks, launchd scheduled publishing, and agent registration. Do not link WhatsApp, Telegram, broker, or market-data accounts unless you understand what local data and credentials the workspace can access. I did not find clear malware, secret exfiltration, destructive commands, or automated trade placement, so Review is appropriate rather than malicious.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (42)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill metadata declares only that the skill is deprecated, yet the static analysis indicates substantial capabilities including environment access, file I/O, networking, and shell use. Undeclared powerful capabilities reduce transparency and can cause unsafe execution or privilege misuse because operators cannot make informed trust decisions from the manifest alone.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: There is a severe description-behavior mismatch: the file claims the skill is merely deprecated, while analysis attributes broad operational behaviors including market data access, local file validation, workspace installation, git hook initialization, publishing, and launchd job installation. This kind of concealment is dangerous because users may invoke or install the skill under false assumptions, enabling unexpected code execution, persistence, or exfiltration pathways.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The AGENTS.md grants this skill operational authority to update, install, and publish software even though the metadata says the skill is deprecated and should instead point users to a replacement agent. This mismatch can mislead operators and cause the deprecated skill to perform privileged lifecycle actions that exceed its apparent purpose, increasing the chance of unauthorized or unsafe changes.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The file explicitly authorizes forced updates, installer execution, agent registration, optional gateway restart, and publish workflows, which are powerful system-modifying operations. In the context of a deprecated skill, these capabilities are unjustified and dangerous because they can alter local state, replace workspace assets, and affect running services under the guise of a simple conversational command.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The bootstrap content directs the agent to perform identity bootstrapping, collect user profile information, and offer external messaging onboarding despite the skill being described as deprecated. This mismatch increases the risk that a user or hosting agent will grant the skill broader trust than warranted, enabling unexpected data collection and behavior outside the declared purpose.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to help link WhatsApp or Telegram accounts, which can move interactions off-platform and expose personal accounts, identifiers, and message content. Because this behavior is not justified by the deprecated skill description and lacks privacy, consent, and security warnings, it creates a meaningful risk of unintended account linking and data exposure.

Context-Inappropriate Capability

Low

Confidence: 90% confidence
Finding: The instructions tell the agent to create and persist identity and preference files for both the agent and the user even though that stateful behavior is not justified by the stated purpose. Unnecessary persistence increases privacy risk and can normalize collecting personal details without clear need, retention limits, or user awareness.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The prompt explicitly instructs the agent to modify the repository, run self-checks, create git commits, and trigger publication actions, even though the skill metadata says the skill is deprecated and should redirect to another agent. This creates an unjustified capability expansion: a user interacting with a nominally deprecated/project-management prompt could cause persistent code and release changes on the local system without clear authorization boundaries.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The prompt grants repo modification and release-publishing powers that are not justified by the stated purpose of a deprecated skill. Because these actions include durable state changes and downstream distribution through hooks/publish scripts, prompt injection or ordinary use could lead to unauthorized updates being committed and propagated.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The prompt hardcodes absolute local workspace and publication paths, exposing sensitive environmental details and steering the agent toward direct filesystem interaction outside a minimal-need model. In context, this increases the chance of unintended modification of local data and makes the prompt less portable and harder to sandbox safely.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The assembler collects and embeds metadata for every installed skill by scanning `skills/*/_meta.json`, even though its stated purpose is generating an approval packet from investment-related inputs. This creates unnecessary local inventory disclosure in the output artifact, which can leak internal capability names and versions to downstream consumers, logs, or users and expands the attack surface for reconnaissance.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The installer comments and usage text present the script primarily as an agent installer, but the actual behavior also enables commit-triggered synchronization and unattended daily publishing via launchd. This mismatch reduces informed consent and can cause users to authorize persistence and automated outbound actions they did not reasonably expect from the description.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The skill is described only as deprecated, yet the installer still performs update, installation, runtime configuration, unattended agent registration, and optional gateway restart. A deprecated package continuing to make operational changes is dangerous because users may assume it is inert or informational, while it actually modifies system and agent state.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Restarting the OpenClaw gateway is a service-level action that can interrupt workloads or alter runtime behavior beyond this single skill. Given the minimal deprecated-skill description, exposing this capability without prominent disclosure creates unnecessary operational risk and violates least surprise.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The installer performs network-based `clawhub update`/`install` actions for external skills during setup, which expands behavior beyond a local copy/install script and introduces a supply-chain risk. More importantly, it explicitly prefers `update ... --force` to fetch the latest version rather than a pinned version from the lock file, making installs non-reproducible and allowing unexpected code to be pulled into the runtime workspace.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The script text says it will install skills listed in `skills.lock.json`, which implies locked or deterministic dependencies, but the actual logic later installs the latest available versions using `clawhub update ... --force`. This misleading description can cause operators to trust the installer as reproducible when it is actually pulling mutable remote code, increasing the likelihood of unreviewed dependency changes or compromised upstream packages being introduced.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script creates and loads a persistent LaunchAgent that executes a publishing workflow at login, on a daily schedule, and every 30 minutes. That behavior materially exceeds a manifest description that only says the skill is deprecated and points users elsewhere, creating deceptive capability mismatch and unexpected background execution.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Installing a LaunchAgent under ~/Library/LaunchAgents establishes session persistence and recurring background execution without justification from the stated skill purpose. In the context of a deprecated/redirection skill, this persistence is especially risky because users would not reasonably expect continuing automated activity.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The script silently initializes a Git repository and installs a persistent post-commit hook in a user workspace, causing future commits to automatically execute another script. That is a meaningful security-relevant side effect because it establishes ongoing automation beyond the apparent deprecated-skill purpose and can be abused if the referenced sync script is modified or unsafe.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Writing a post-commit hook creates persistent execution in the repository so that every future commit triggers code execution without additional notice. In a skill described only as deprecated, this hidden persistence is poorly aligned with user expectations and increases the risk of covert data syncing, command execution, or later misuse.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill defines automatic execution of update and install steps in response to short natural-language phrases, without warning the user that it will modify the local workspace and agent registration. This creates a social-engineering and safety risk because a user may trigger state-changing operations unintentionally or without understanding the consequences.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The markdown instructs the agent to modify workspace files as part of normal operation without first telling the user that files will be created or changed. Silent writes can violate user expectations, create unauthorized state changes, and make later review or rollback difficult.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The optional messaging setup flow encourages linking external communication channels without warning the user about privacy, impersonation, account-control, or data-retention implications. That omission can cause users to connect personal accounts without understanding the security consequences or the trust boundary change.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to immediately perform an upgrade workflow whenever the user uses broad phrases like 'upgrade' or 'update to latest', without first warning that the action will modify the agent workspace or confirming scope. This creates a risky shortcut for state-changing operations: ambiguous user language can trigger package/workspace changes unexpectedly, increasing the chance of unintended modification, supply-chain exposure, or destructive changes in the wrong environment.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The prompt mandates commits and publication-triggering behavior without any user-facing warning, review, or confirmation. That means the agent can perform persistent and externally consequential actions automatically, which is dangerous for both accidental misuse and prompt-manipulation scenarios.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal