ClawHub

HK IPO Profile and Watchlist Manager

Security checks across malware telemetry and agentic risk

Overview

The published skill presents itself as a profile and watchlist manager, but it bundles an unrestricted HK IPO decision-support CLI with broader networked research, scoring, review, import/export, and persistence features.

Review before installing if you expected only a small local settings manager. The documented profile and watchlist commands are ordinary local state changes, but the package also contains broader IPO research and decision-support features that can fetch third-party market data and store review or scoring history under ~/.hkipo-next when invoked.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (33)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes a bundled CLI that reads and writes files under ~/.hkipo-next and, per the static finding, also has environment and network capabilities, yet the skill declares no permissions or trust boundaries. That omission prevents informed consent and makes it easier for a seemingly simple preference-management skill to access broader local and external resources than the user would expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented purpose is limited to profile and watchlist management, but the underlying runtime reportedly supports broad market-data retrieval, scoring, exports/imports, history persistence, and other unrelated capabilities. This large description-behavior gap is dangerous because users and orchestrators may grant trust to a narrowly described skill while actually exposing a much more capable runtime with network access and persistent state handling.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The module exports a very broad set of market-data retrieval, analytics, and document-access functions that go far beyond the declared skill purpose of managing user HK IPO preferences and watchlists. This creates unnecessary capability exposure: if the agent can access all exported functions, prompt injection, tool misuse, or simple routing errors could invoke data-collection and analytics behaviors outside the intended trust boundary.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The package exposes cache administration functions including destructive operations such as clearing cached data, even though cache management is unrelated to a preferences/watchlist manager. Unnecessary destructive primitives increase the blast radius of misuse: an agent or injected instruction could delete shared cached state, cause denial of service, or degrade integrity/availability for other operations.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements a broad market-research CLI spanning multiple data sources and analytical functions that significantly exceed the stated skill purpose of managing user HK IPO preferences and watchlists. This scope expansion is dangerous because it grants the skill access paths and behaviors the user may not expect, increasing attack surface, enabling unauthorized data retrieval, and weakening least-privilege boundaries for the agent.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The analyze command aggregates multiple external and local data sources into an end-to-end IPO research output, which is materially outside the described profile/watchlist-management role. In an agent setting, hidden aggregation features are risky because they can be invoked to exfiltrate richer datasets, perform undeclared analysis, or influence decisions using capabilities the user did not knowingly authorize.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The profile flow reads a local YAML file containing personal financial preferences and then prints the full profile contents as JSON. This is dangerous because sensitive user data such as capital, risk tolerance, margin preference, and broker can be exposed to the agent output or downstream consumers without clear necessity, minimization, or disclosure.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This module performs broad live scraping of third-party IPO market data, including details, allotment results, grey market schedules, and sponsor performance, which materially exceeds a skill limited to managing user preferences and watchlists. In an agent context, this creates an unnecessary external data access surface, expands data-processing behavior beyond user expectations, and can enable unauthorized capability growth or policy bypass via undocumented market-intelligence collection.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The file implements a full AAStocks IPO data adapter rather than watchlist/profile management, indicating clear scope drift from the stated skill purpose. This is dangerous because over-scoped skills can silently grant agents access to unreviewed external intelligence sources and behaviors that users and integrators did not authorize, increasing both privacy/compliance and supply-chain risk.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file adds live A/H-share discovery and pricing logic, including outbound calls to third-party market-data providers, which is materially broader than the declared skill purpose of managing user HK IPO preferences and watchlists. Scope expansion is dangerous because it creates unreviewed data flows, increases external dependency and privacy exposure, and may enable the agent to make or influence decisions using capabilities users and reviewers would not expect from this skill.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code performs direct outbound HTTP requests to Sina and Tencent endpoints to fetch live securities metadata and prices, even though the skill is described as a settings/watchlist manager. In this context, unexpected network egress is risky because it can leak user-derived inputs such as watched company names, bypass least-privilege expectations, and introduce integrity and availability risks from unvetted third-party responses.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file implements a broad market-data client and CLI for HK IPO analytics, far beyond the declared skill purpose of managing user preferences and watchlists. That scope mismatch is dangerous because it expands the agent’s capabilities to retrieve and expose external financial intelligence the user did not request, increasing data-access surface, policy bypass risk, and the chance the skill is invoked for unintended decision-support workflows.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code exposes broker, bookrunner, and stable-price ranking/history endpoints that are not justified by a profile/watchlist-management skill. In context, these functions create hidden analytical and surveillance-style capability that could influence investment decisions or be repurposed without proper review, making the skill materially more capable than advertised.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This file introduces a full live market-data scraping capability from Futu even though the skill is described as managing user preferences and watchlists. That scope mismatch is dangerous because it silently expands the skill's behavior to external network access and data acquisition that users and reviewers would not expect, increasing the attack surface, privacy/compliance risk, and the chance of unauthorized functionality being invoked.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The direct httpx request to an external website adds undeclared web-scraping behavior unrelated to preference/watchlist management. In this skill context, that makes the issue more dangerous because the capability is hidden inside a settings-oriented tool, so operators may grant it permissions or trust assumptions that would not be acceptable for a networked market-data collector.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file implements live IPO market-data retrieval and calendar aggregation, which does not match the declared purpose of a profile/watchlist manager skill. This capability mismatch is dangerous because it expands the skill's effective scope beyond user-preference management, increasing the chance of unauthorized data access, misleading users about what the skill does, and creating hidden behavior that downstream agents may invoke without proper review.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code imports and calls external IPO data retrieval functions to build a market calendar even though the skill is described as managing user settings and watchlists. In a skill ecosystem, unjustified capabilities are risky because they can be abused for unintended external access or decision support workflows that users and reviewers did not consent to when enabling a profile manager.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This module pulls third-party IPO market data even though the skill is described as managing user preferences and watchlists. That capability mismatch expands the trust boundary and can introduce unexpected data flows, dependency risk, and user-surprising behavior that is not justified by the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code performs outbound HTTP requests to a third-party domain without that network behavior being justified by the skill's stated preference-management role. In an agent setting, undisclosed external requests can leak usage patterns, create supply-chain/data-integrity exposure, and violate least-privilege expectations even if no direct user secret is sent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The CLI entrypoint exposes many capabilities far beyond the stated skill purpose of managing user preferences and watchlists, including scoring, batch analysis, review history, exports, and parameter tuning. In an agent-skill context, this scope expansion increases attack surface and can enable unintended data access, file writes, or higher-impact actions when the orchestrator expects a narrower least-privilege tool.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The file exposes import/export and accept/reject workflows for external OpenClaw suggestions, which introduces state-changing and file-based operations not justified by a simple profile/watchlist manager. In an agent environment, accepting imported suggestions could alter scoring parameters or persisted state based on untrusted external content, making this materially riskier than passive preference management.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The batch command persists review history/artifacts via _persist_review_records(), which goes beyond the declared skill scope of managing user preferences and watchlists. In an agent setting, undocumented persistence expands the data footprint and can retain sensitive portfolio interest, watchlist composition, or decision outputs longer than a user expects, increasing privacy and least-privilege risk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This code runs BatchService, DecisionService, ScoringService, and SnapshotService to perform IPO decision/scoring workflows, which materially exceeds the stated scope of profile and watchlist management. Scope mismatch is dangerous in agent ecosystems because callers may grant this skill access or trust assumptions appropriate for preference management, while the code performs broader processing and potentially external/data-intensive actions.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The command writes a review/history record via _persist_review_record() even though the skill metadata describes preference and watchlist management, not retention of generated decision-card outputs. This scope expansion can create unauthorized persistence of potentially sensitive investment preferences or decision data, increasing privacy and data-governance risk if users or operators do not expect this storage.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The command implements review-history listing, detail retrieval, updates, suggestion import, and export workflows that materially exceed the declared skill scope of profile/watchlist management. This kind of scope drift increases the attack surface and can enable unintended access to stored review data or file-handling behaviors that users and platform policy would not expect from this skill.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal