ClawHub

Stock Prediction

Security checks across malware telemetry and agentic risk

Overview

The skill matches its stock-prediction purpose, but it automatically runs local PowerShell commands, starts a backend service, changes a local model, and writes stock-code files without enough user control or input hardening.

Install only if you trust the local kronos-ai project and are comfortable with the agent running PowerShell commands, starting a local backend, switching models, and writing stock-code files under the hardcoded Windows path. Use only normal YYYY-MM-DD dates and integer sample counts, review generated result files for sensitive content, and clean up stored input/result files or stop the backend when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"执行预测: {cmd}")
    print(f"工作目录: {PREDICT_DIR}")
    
    result = subprocess.run(
        ['powershell', '-Command', cmd],
        cwd=PREDICT_DIR,
        capture_output=True,
Confidence
95% confidence
Finding
result = subprocess.run( ['powershell', '-Command', cmd], cwd=PREDICT_DIR, capture_output=True, text=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill performs file reads/writes, localhost network calls, and shell execution, yet declares no permissions or user-facing constraints. This creates a transparency and control gap: an agent may invoke powerful actions without explicit authorization boundaries, increasing the risk of unintended local command execution or data handling.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This file gives the skill the ability to launch arbitrary subprocesses through PowerShell rather than only performing data processing. In the context of an agent skill that may handle user-influenced inputs, that broad execution capability materially expands the attack surface and enables abuse if inputs are not tightly constrained.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger requires only images plus broad keywords like '预测' and '未来x天', which can easily match benign conversation and cause unintended invocation of a powerful workflow. Because the skill can write files, start services, make network requests, and run shell commands, accidental triggering materially increases risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill persists extracted stock codes to a timestamped local directory without prominently warning users in the description or trigger contract. Silent local storage can expose sensitive or proprietary watchlists and creates retention risk, especially on shared or administrator workstations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill will automatically open a terminal and execute shell commands to activate an environment and start a backend service when health checks fail. Auto-remediation via shell execution is high risk because it expands the blast radius of accidental or manipulated invocation into process creation and persistent local service changes.

Ssd 3

Medium
Confidence
89% confidence
Finding
The instruction to return the entire generated result file directly to the user lacks filtering, schema validation, or sensitivity checks. If the file contains debugging output, path information, model metadata, or other unintended content, the skill may disclose sensitive local or operational information.

VirusTotal

43/43 vendors flagged this skill as clean.

View on VirusTotal