ClawHub

HK IPO Calendar Monitor

Security checks across malware telemetry and agentic risk

Overview

The skill is presented as a read-only IPO calendar monitor, but the bundled runtime also includes under-disclosed investment decision, profile, persistence, and suggestion-application features.

Install only if you are comfortable with a broader IPO decision-support tool, not just a calendar monitor. Keep use to the documented calendar command if that is all you need, consider setting HKIPO_HOME to an isolated directory, avoid providing HKIPO_API_TOKEN unless necessary, and review any profile, parameter, review, or suggestion files before relying on outputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (45)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares itself as a read-only IPO discovery tool, but the metadata and command examples indicate broader capabilities including network access, environment use, and file output, while no permissions are declared. This creates a trust and sandboxing gap: operators may approve or run the skill under the assumption of minimal privilege even though it can access external data and write files such as exported reports.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented skill scope is a narrow calendar monitor, but the analyzed behavior reportedly includes substantially broader functions such as scoring, persistence, profile storage, model/version management, external suggestion handling, and multiple forms of scraping and data caching. This mismatch is dangerous because it can mislead users and reviewers about the true attack surface, causing them to authorize a much more powerful skill than intended and increasing the risk of unauthorized data collection, persistence, and unsafe downstream actions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file materially expands the skill from simple Hong Kong IPO calendar monitoring into qualitative investment analysis and subscription decision support. That scope creep can cause the agent to provide unapproved financial guidance, rely on unstable external sources, and make higher-risk judgments than the skill metadata suggests, increasing the chance of misleading or non-compliant outputs.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The package's public API exports a much broader set of capabilities than the skill's declared purpose of monitoring Hong Kong IPO deadline and listing windows. This increases the attack surface and enables downstream callers or agent planners to invoke grey-market, margin, rating, sponsor, cache-management, and other analytics functions that are outside the expected trust boundary for this skill.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
Grey market, margin, rating, and allotment-analysis modules materially exceed the stated monitoring/discovery scope and expose financial-analysis functionality not implied by the manifest. In an agent setting, this can cause capability confusion, where a model or orchestrator uses sensitive or higher-risk functions because they are importable even though users only authorized a simple monitoring tool.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
Allotment prediction and sponsor-performance tooling goes beyond passive monitoring into evaluative and predictive analysis, which is inconsistent with the declared scope. While not directly dangerous like code execution, this mismatch can mislead policy enforcement and users about what the skill can do, making unauthorized or unexpected financial inference more likely.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The CLI’s documented surface area is much broader than the skill’s stated purpose of calendar monitoring, exposing research, analysis, sentiment, prospectus, and profile-related capabilities. In an agent setting, this kind of scope drift is dangerous because orchestrators or users may invoke unintended functions that access additional data sources or produce investment-analysis behavior outside the approved permission boundary.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The dispatcher routes to many non-calendar modules, including sentiment, ETNet sponsor stats, HKEX prospectus access, A/H pricing comparison, detailed IPO analysis, and profile handling. This materially expands what the agent can do beyond near-term discovery of open/closing/listing windows, increasing the chance of unauthorized data access, overbroad network activity, and misuse of the skill in ways the manifest does not disclose.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The profile mode reads a local YAML file containing personal financial preferences and combines it with IPO data, which is unrelated to simple calendar monitoring. In a skill expected to provide discovery results, accessing local profile data creates an unnecessary privacy boundary crossing and can expose sensitive user information to the agent or downstream outputs.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Analyze mode performs broad IPO investment analysis, aggregating ratings, cornerstone investors, sponsor history, margin detail, and A/H comparisons. While not directly code-execution dangerous, it violates least privilege for a calendar-monitoring skill and can cause the agent to produce richer investment intelligence than the user or platform intended.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file substantially exceeds the skill's declared purpose of near-term Hong Kong IPO calendar monitoring by exposing broad IPO analytics, historical performance, sponsor rankings, and reference data. This increases attack surface and data exposure, and can let callers use the skill for unintended market-intelligence tasks that were not disclosed or constrained by the skill contract.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code exposes detailed grey-market trade records and price-distribution analysis that are unrelated to a calendar-monitor skill. Even if the data is externally sourced, adding granular trade-analysis capabilities broadens the skill into a market-surveillance tool, increasing misuse potential and violating least-privilege design for the stated use case.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The market scroll feed includes holding-change alerts and trader identifiers, which are outside the declared IPO calendar-monitoring purpose. Surfacing trader-linked or behavior-linked signals in a broadly accessible skill creates unnecessary sensitive-context exposure and enables uses beyond simple scheduling or discovery of upcoming IPO events.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The module is implemented to scrape already-listed IPO performance data from Futu, while the skill manifest says the skill should monitor near-term Hong Kong IPO subscription deadlines and listing windows. This functional mismatch can cause the agent to return stale or irrelevant data, misleading downstream decisions about what is currently open or closing soon.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The function and CLI documentation explicitly frame the module as a tool for listed-IPO and recent-performance analysis, which contradicts the skill's stated purpose of monitoring imminent IPO windows. In an agent setting, this increases the chance that operators or orchestration logic will trust the component for deadline-sensitive monitoring even though it is not collecting the right dataset.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code uses httpx for network access but documents and catches requests.RequestException without importing requests. In the CLI error path, a real httpx exception will bypass the intended handler, and attempting to evaluate the undefined requests name in an except clause can itself raise a NameError, causing crashes and making network failures unhandled. In an agent context, this can break monitoring workflows and prevent graceful degradation when the external API is unavailable or misbehaving.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill is described as a narrow Hong Kong IPO calendar monitor, but this CLI exposes many additional capabilities including profile management, scoring, parameter versioning, watchlists, review history, and suggestion application. That scope expansion violates least privilege and increases attack surface because an agent or caller expecting read-only discovery functionality could trigger state-changing operations on local data and decision logic.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code supports importing external OpenClaw suggestions and then accepting or rejecting them, potentially creating or changing parameter versions. In a skill whose stated purpose is calendar monitoring, this is dangerous because it introduces an unneeded path for untrusted external data to influence persistent configuration and downstream decision-making behavior.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Persistent user profile and scoring-parameter management are outside the stated discovery-only purpose of the skill. Even if not directly code-execution related, these extra write-capable features create unnecessary opportunities for unauthorized preference changes, misleading outputs, and hidden persistence in an environment where users may expect only ephemeral calendar lookup behavior.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The command writes review history and artifacts to persistent storage even though the skill is described as a monitoring/discovery tool. In an agent setting, unexpected persistence expands the data-handling surface, may retain sensitive user queries or derived investment outputs, and violates least surprise for a read-oriented skill.

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
The command writes decision-card responses and review artifacts to local storage even though the skill is described as a monitoring/discovery tool. This creates undeclared persistence of potentially sensitive user inputs, profile-derived data, and analysis outputs, increasing privacy, retention, and surprise side-effect risks in an agent context where users may expect read-only discovery behavior.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The file implements parameter version persistence, activation, and scoring comparison workflows that go well beyond the manifest's stated purpose of monitoring Hong Kong IPO windows. In an agent-skill setting, this scope mismatch is dangerous because hidden or unjustified capabilities can enable unauthorized stateful behavior, unexpected local data retention, and abuse paths not anticipated by users or reviewers.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code saves and lists persistent parameter versions via a local SQLite-backed repository even though the skill is presented as a near-term IPO monitoring tool. Unnecessary persistence increases risk by retaining user-derived configuration/state on disk, creating opportunities for unintended data exposure, policy bypass, or covert statefulness inside a skill that users expect to be read-only or ephemeral.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The module docstring advertises 'Parameter version management command handler,' which conflicts with the manifest's IPO-monitoring description and signals undeclared functionality. While a docstring alone is not an exploit, in this context it is a meaningful indicator of capability mismatch that can hide higher-risk behavior from users and security review.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This command handler exposes state-changing and filesystem-affecting capabilities such as record updates, suggestion imports, and exports, even though the skill is described as a read-oriented IPO monitoring/discovery tool. In an agent setting, this mismatch increases the risk of unintended data modification or local file interaction when a caller expects only passive monitoring behavior.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal