ClawHub
Back to skill

Security audit

HK IPO Review Optimizer

Security checks across malware telemetry and agentic risk

Overview

This is not clearly malicious, but it bundles a much broader HK IPO decision-support runtime than the review-only description explains.

Install only if you want the full HK IPO decision-support runtime, not just a narrow review helper. Keep profile and review data out of shared directories, review exported dataset paths, import suggestions only from trusted files, and be careful accepting suggestions because they can change active scoring parameters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions while its documented/runtime behavior implies access to environment data, local files, persistent storage, and likely network-backed functionality through the bundled CLI. That mismatch removes an important transparency and policy control layer, making it easier for an agent or user to invoke broader capabilities than expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a narrow post-decision review tool, but the underlying bundle appears to expose a much broader IPO platform including live data fetching, scoring, preference management, parameter changes, and persistent state manipulation. This kind of description-behavior mismatch is dangerous because operators may approve or invoke the skill under a limited-trust assumption while it can perform materially different actions with wider data access and side effects.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The reference guide exposes broad capabilities for live-market data retrieval, prediction, and operational commands that exceed the declared purpose of reviewing past IPO decisions and tuning later scoring behavior. This kind of scope expansion increases the chance that an agent can be induced to perform unintended market-facing actions or gather unnecessary external data, weakening least-privilege boundaries for the skill.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The guide documents direct shell/CLI invocation patterns, including parameterized commands, for a skill whose stated purpose does not require arbitrary command execution. Even if examples are benign, exposing CLI pathways materially increases attack surface because downstream agent behavior may be steered into executing local commands, accessing unintended resources, or chaining file/system operations beyond the review-optimization use case.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The package initializer re-exports a much broader set of capabilities than the skill metadata claims, including live IPO discovery, market data, sponsor rankings, prospectus/document access, and cache-management functions. This creates a scope mismatch that can enable an agent or downstream caller to access data-collection and operational capabilities outside the declared purpose of reviewing historical IPO decisions and tuning behavior, undermining least privilege and increasing the chance of unintended data access or risky actions.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The CLI’s declared scope is retrospective IPO review optimization, but the docstring exposes broad live-market research capabilities such as current IPO overviews, margin/rating/grey market access, calendars, and sponsor sentiment. This scope mismatch is dangerous because an agent or user may invoke capabilities far beyond the approved purpose, enabling unauthorized market intelligence collection and decision support under a misleading skill identity.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
Most of the implementation performs active-current-market analysis, external data retrieval, profile-driven recommendation support, and one-click IPO analysis rather than reviewing past decisions and exporting review datasets. In an agent setting, this materially increases capability exposure and could cause the system to act as a live investment-research tool, violating least privilege and expected user consent boundaries.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The profile command reads and encourages creation of a persistent local YAML file containing personal financial information such as capital, risk preference, margin behavior, and broker. Collecting and persisting this data is not justified by the stated review-optimizer purpose, creating unnecessary privacy risk and a broader data-handling footprint if the agent is compromised or the file is reused unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
This module makes live requests to third-party market-data endpoints (Sina and Tencent) even though the declared skill purpose is reviewing historical Hong Kong IPO decisions and tuning later scoring behavior. That mismatch expands the skill's capability beyond its stated workflow, creating unnecessary data egress, dependency on unvetted external services, and a path for prompt-triggered network activity that could be abused for unauthorized lookups or operational instability.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file implements a large live-data scraping and CLI surface that materially exceeds the declared purpose of a review-and-outcome optimization skill. Capability overreach is dangerous because it increases the attack surface, enables unexpected outbound data access and operational behaviors, and makes it easier for downstream prompts or tooling to invoke functions unrelated to the user's intended task.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The module exposes numerous intelligence-gathering functions—sponsor history, broker/bookrunner/stable-price rankings, management profiles, and market scroll messages—that are not justified by the stated optimizer use case. Even if individually benign, bundling these retrieval paths into one skill creates unnecessary privilege and data-access breadth, increasing misuse potential and making policy enforcement harder.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
This module performs live retrieval and scraping of Yahoo Finance and AASTOCKS data even though the skill is described as retrospective IPO review optimization. That creates an unnecessary outbound data path, expands the trust boundary to third-party services, and can leak usage patterns or enable behavior outside the approved capability scope.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code makes direct network requests to third-party finance sites without a clear need tied to the stated review-optimizer purpose. Unjustified outbound access is dangerous because it increases attack surface, creates dependency on untrusted remote content, and may violate least-privilege expectations for an analysis skill.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This file performs outbound network access to a third-party IPO API even though the skill is described as reviewing past Hong Kong IPO decisions and tuning later scoring behavior. That scope mismatch expands the skill's capabilities beyond what users and reviewers would reasonably expect, creating data exfiltration, dependency, and unauthorized-live-data risks if the adapter is reachable from the skill.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The core function fetches current IPO offer data from a live third-party service, which does not align with a skill meant to analyze completed IPO calls and outcomes. In agent environments, this kind of hidden capability can bypass least-privilege expectations, introduce unreviewed external data flows, and let the skill influence behavior using live market data outside its declared purpose.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The documentation instructs users to export review datasets directly to an arbitrary filesystem path without warning that those datasets may contain historical decisions, notes, PnL, or other sensitive trading information. In an agent setting, this increases the risk of unintentional data leakage to insecure locations, shared temp directories, or later exfiltration by other tools.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code silently reads a local profile containing sensitive personal financial preferences without any user-facing notice, confirmation, or disclosure in that execution path. In an agent environment this is risky because users may not realize the tool is accessing stored personal data, undermining informed consent and potentially exposing data beyond the intended task.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal