ClawHub

allstock-data

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward stock-data lookup guide using external finance APIs, with privacy and transport-security caveats but no hidden or destructive behavior.

Install this skill if you are comfortable sending queried stock symbols to external finance data providers. Prefer validated stock-code inputs, treat plain-HTTP results as public and unauthenticated, use only trusted proxies, and verify the optional adata package before installing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill instructs users to query Tencent Finance endpoints over the network but does not warn that stock symbols, query patterns, IP address, and related metadata will be sent to a third-party service. This is a genuine privacy/transparency issue, though not an exploit primitive by itself. In context, the skill is explicitly about external market data retrieval, which makes the behavior expected, but users still need clear disclosure before their requests leave the local environment.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The proxy setup example tells users how to route traffic through a proxy without warning that all API traffic may transit a third-party intermediary that can observe or modify requests and responses. This creates a meaningful confidentiality and integrity risk, especially if users rely on the proxy for financial data workflows or run the skill in enterprise environments. The context increases risk slightly because the example normalizes proxy use without any trust or security guidance.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal