ClawHub

Market Watch

Security checks across malware telemetry and agentic risk

Overview

This is a coherent market alert skill that runs disclosed background monitors and sends OpenClaw notifications, but users should understand it stores alert context and session routing metadata locally.

Install only if you want an OpenClaw agent to monitor markets in the background and proactively message configured channels. Avoid putting secrets in alert summaries, review session keys and reply targets before registering alerts, cancel old alerts when finished, and install the macOS watchdog only if you want recurring launchd persistence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
A simple alert-registration flow also enumerates the agent's latest session and stores transcript file paths/session identifiers without explicit user consent. That expands data collection beyond what is necessary for registering a price alert and can expose sensitive conversation metadata or create unintended linkage between alerts and private transcripts.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Registering an alert implicitly starts a local daemon, which is behavior beyond the user's apparent request to create a record. Hidden background process launch increases attack surface, can surprise operators, and may enable persistence-like behavior in an agent environment where side effects should be explicit.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly describes proactively contacting users and includes session-related routing identifiers such as session keys and reply targets, but does not warn about privacy implications, consent requirements, or how these identifiers are protected. In an agent skill that can send outbound notifications, this increases the risk of unexpected messaging, metadata leakage, or misuse of conversation-linked identifiers if logs, configs, or shared state are exposed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documented alert format persists transcript file paths and message IDs so the agent can reconstruct prior user context, but the README gives no retention, access-control, or privacy warning. Persisting references to conversation history can expose sensitive user intent and make later unauthorized replay or correlation easier if the alerts database is read by other local processes or users.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that when price or news conditions trigger, the system will automatically notify the agent and may include context such as session identifiers and transcript file paths for intent recovery. That creates a privacy and data-sharing risk because users are not clearly warned that monitoring events can cause outbound notifications and context propagation beyond the local watch process.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The activation guidance uses broad natural-language examples like 'help me watch BTC' or 'monitor BlackRock news,' which could overlap with ordinary conversation and cause the skill to activate in contexts the user did not intend. In a skill that can register persistent background monitoring and send proactive notifications, accidental activation is more dangerous than in a read-only skill because it changes system state and enables ongoing surveillance-like behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation description is broad enough to trigger on generic requests about 'watching,' 'monitoring,' notifications, or news, which can cause the skill to activate in situations the user did not clearly intend. Because the skill performs persistent monitoring, stores alert state, and may later notify users based on prior context, overbroad matching increases the risk of unnecessary data handling and unintended background actions.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
`deliver_message` can transmit message content plus routing metadata (`agent_id`, `session_key`, `reply_channel`, `reply_to`) to an external delivery mechanism without any visible consent, disclosure, or authorization checks in this helper. In a market-watch skill that monitors assets and sends alerts asynchronously, this increases the chance of silent exfiltration, misdelivery, or abuse of the notification pathway if alert objects are attacker-controlled or improperly scoped.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to read `context_summary` and, if needed, the `transcript_file` to recover more details when processing alerts. Pulling full conversation transcript context for a later notification exceeds what is minimally necessary for alert delivery and creates a natural-language data exposure risk, especially if alerts are triggered asynchronously or routed through external channels like Feishu.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal