VN Stock Scanner
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: hoang-vn-stock-scanner Version: 1.0.0 The skill contains a significant command injection vulnerability in SKILL.md, where user-provided input (ticker symbols or keywords) is directly embedded into a shell command executed via the 'exec' tool. Additionally, scripts/scanner.py explicitly disables SSL certificate verification (verify=False) for its network requests to CafeF and TCBS, increasing the risk of man-in-the-middle attacks. While the script's logic appears aligned with its stated purpose of stock analysis, these security flaws represent high-risk behaviors.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If inputs are not handled carefully by the agent/runtime, malformed ticker or keyword text could cause command errors or unintended shell interpretation.
The skill relies on exec and substitutes a user-derived stock ticker into a command. This is aligned with the scanner purpose, but raw command invocation should validate and quote user-derived parameters.
Sử dụng tool `exec` gọi lệnh: python3 /home/hoang/.openclaw/workspace/vn-stock-scanner/scripts/scanner.py ticker --ticker <mã_cổ_phiếu>
Use a package-relative script path and pass ticker/keyword values as structured arguments where possible; restrict tickers to expected stock-code characters.
On a different machine, the command may fail or could point to a different local file than the bundled scanner.py.
The command references a user-specific absolute path rather than a package-relative path, so the executed helper's location should be checked against the reviewed artifact.
python3 /home/hoang/.openclaw/workspace/vn-stock-scanner/scripts/scanner.py news --keywords "<từ_khóa>"
Update the skill to reference the included script by a registry/package-relative path and declare python3/requests requirements in the install metadata.
A network attacker could potentially alter the news or ticker data shown to the user.
The script disables certificate verification for HTTPS requests. The external data fetch is purpose-aligned, but this makes spoofed or tampered responses easier to accept.
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) resp = requests.get(url, headers=headers, timeout=10, verify=False)
Enable normal TLS certificate verification and only disable it with explicit user consent for troubleshooting.