ClawHub

Prana A股财务分析助手

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs the advertised remote stock analysis, but it also includes an account-linked history URL feature and persistent credential handling that users should review before installing.

Install only if you trust the Prana service with your stock-analysis prompts and session linkage. Treat PRANA_SKILL_API_FLAG as a secret, avoid submitting private financial or personal details, clear the session thread file when you want a fresh context, and be cautious with the history URL because it may expose account-linked records through a tokenized link.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill claims to perform A-share financial analysis, but also includes a separate capability to fetch a 'history request/skill purchase history' URL. That is a scope expansion into account/history access, which may expose usage metadata or billing-related records unrelated to the user’s requested stock analysis.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Directing the skill to obtain a browser-openable purchase/history URL exceeds the reasonable capability boundary of a financial-analysis assistant. Such links may contain sensitive tokens or account-associated history, and the document explicitly says to return the full link directly to the user, increasing the risk of unauthorized disclosure or misuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script forwards the raw user-supplied question to a remote service in the agent-run request without any disclosure, consent prompt, redaction, or data-classification guard. Because user questions may contain financial, personal, or proprietary information, this creates a privacy and data-handling risk that is especially relevant for a financial-analysis skill where users may paste sensitive company or investment data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal