ClawHub

国泰海通证券-灵犀金融数据查询

Security checks across malware telemetry and agentic risk

Overview

This financial-data skill is mostly aligned with its purpose, but it handles API keys and device-identifying data in ways users should review carefully before installing.

Install only if you trust the publisher and the GTHT/GTJA service endpoints. Prefer the QR authorization path over sending an API key in chat, use the least-privileged key available, and be aware the key may remain in a shared local JSON file until cleared with the documented clear command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The file first states access must be strictly limited to the skill directory and a same-level shared directory, but later authorizes searching multiple parent paths for the authorization file. Conflicting path-boundary rules are dangerous because they weaken containment guarantees and can lead to unexpected credential discovery or use from unintended locations.

Intent-Code Divergence

Low
Confidence
74% confidence
Finding
The authorization file location is described inconsistently across sections, which can cause operators or agents to read from or write to the wrong credential path. While this is primarily a design and safety issue rather than an exploit by itself, it can still lead to accidental credential leakage, stale key reuse, or unauthorized behavior if the wrong file is trusted.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill implements a substantial authorization and credential-management workflow, including API-key acquisition, storage, polling, and token handling, but the declared skill purpose is only financial data querying. This capability mismatch increases the attack surface and can mislead users and reviewers about what the skill actually does, especially because it persists credentials locally and performs additional network interactions beyond simple data retrieval.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code exposes a generic MCP client that can call arbitrary tool names on configured gateways, rather than only the narrowly described financial-search operation. If an attacker can influence CLI usage, configuration, or downstream gateway contents, this broad dispatcher could be used to invoke unintended capabilities outside the skill's advertised scope.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The authorization flow enumerates network interfaces, extracts the host MAC address, and embeds it into a generated device identifier. A MAC address is a persistent hardware identifier, so collecting and transmitting it for a financial-query skill creates unnecessary privacy and tracking risk unrelated to the stated functionality.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code writes the API key to a shared JSON file on disk using default filesystem behavior and no encryption, permission hardening, or secure secret store. On multi-user systems or compromised hosts, this allows credential theft and reuse, which is especially sensitive in a financial-data context where the key may grant access to protected services.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The authorization flow prints sensitive values to the console, including full device identifiers, QR content, token values, file paths, and masked but still identifying API-key fragments. Console output is often captured in logs, terminal history, CI systems, or support transcripts, so exposing these identifiers can facilitate session hijacking, credential theft, or unauthorized polling of the auth flow.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to ask users to send API keys directly in chat. This is dangerous because chat channels are often logged, retained, inspected by intermediaries, or exposed to prompt leakage, turning a secret-bearing credential into conversational data that can be stolen or reused for unauthorized access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal