ClawHub

fund-monitor

Security checks across malware telemetry and agentic risk

Overview

This fund-monitoring skill can do normal fund lookups, but it also contains under-disclosed code that writes financial summaries to a fixed Feishu document using bundled credentials.

Review before installing. Use the basic fund lookup only if you are comfortable with network calls to Eastmoney, and do not run the Feishu helper scripts unless you intend to publish financial summaries to that specific Feishu document. The bundled Feishu secret and document token should be considered exposed and rotated or replaced before any legitimate use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill appears to use file-read and network capabilities without declaring corresponding permissions, which undermines transparency and informed consent for users and reviewers. In this context, undocumented network and local file access are risky because the skill is presented as a simple fund-query tool, yet those capabilities could access local data or transmit information externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a significant description-behavior mismatch: the skill claims to monitor fund NAV and price changes, but the analyzed behavior includes hardcoded Feishu credentials, writing content to external documents, reading local files, embedding fixed portfolio holdings, and generating investment advice. That combination creates a serious trust and data-handling risk because users may unknowingly expose sensitive financial information or trigger external writes far beyond the declared purpose.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
The skill does more than passive fund monitoring/querying: it writes account snapshot data to a remote Feishu document. This expands the data handling scope and creates an undisclosed outbound data sink for potentially sensitive financial information, which is risky even if intended for logging.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Embedding Feishu document write capability is not justified by a monitoring/query skill description and increases the attack surface. A skill that silently possesses write access to external collaborative docs can be abused to exfiltrate or persist sensitive account data outside the expected workflow.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill behavior exceeds its declared monitoring/query scope by calculating portfolio profit and using embedded holdings data, which creates an undisclosed secondary function involving sensitive financial analysis. This mismatch can mislead users and downstream systems about what data the skill handles and what outputs it generates, increasing privacy and governance risk.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code generates investment recommendations from a simplistic count of rising versus falling funds, without suitability checks, risk disclosure, or a clearly authorized advisory purpose. That can cause users to act on unvetted financial guidance and exposes the skill operator to compliance, trust, and decision-harm risks.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script hardcodes APP_ID, APP_SECRET, and a document token directly in source code. Hardcoded credentials are easily leaked through source control, logs, or redistribution and allow unauthorized access to Feishu APIs and the target document.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script transmits fund/account snapshot data to a remote Feishu document without any visible user disclosure or consent flow. Financial holdings, profits, and returns are sensitive data, and silently exporting them to a third-party service creates privacy, compliance, and unauthorized disclosure risks.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The file contains hard-coded holdings amounts and cost basis for a real-looking portfolio, which is sensitive financial information that may reveal assets, strategy, and performance if the code is shared, logged, or exposed through the skill. Because the data is embedded directly in source code, it bypasses normal access controls and creates a durable confidentiality risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
The file hardcodes a Feishu app ID, app secret, and document token directly in source code. Embedded secrets are easily exposed through source control, logs, packaging, or reuse, allowing unauthorized access to the Feishu tenant and document operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script transmits parsed fund and portfolio performance data to Feishu without any explicit user notice, consent flow, or clear disclosure that local CLI input will be sent to an external service. This creates a privacy and data-governance risk, especially if users assume the tool only performs local monitoring or querying.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal