ClawHub
Back to skill

Security audit

Finance Data Scraper

Security checks across malware telemetry and agentic risk

Overview

This finance scraping skill has a coherent purpose, but it embeds a real-looking NocoDB token and can send local data to a fixed external database while also closing unrelated browser tabs on a schedule.

Review carefully before installing or running. Do not use the import script as-is: remove the hardcoded NocoDB URL, token, and table ID, rotate the exposed token if it belongs to you, and load credentials from a least-privilege secret or environment variable. Run the tab cleanup only in an isolated browser profile or change it to close only tabs created by this skill, and review all cron examples before enabling recurring jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises operational capabilities that imply file access, network communication, and shell execution, but it does not declare permissions or boundaries for those actions. This increases the risk of over-privileged execution and makes it harder for users or the platform to assess what the skill can access before it runs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
77% confidence
Finding
The skill description presents a broad finance-scraping solution, but the documented behavior also includes sending data to an external NocoDB service while much of the claimed scraping functionality is not actually evidenced in this file. That mismatch reduces transparency and can mislead operators about what the skill really does, which is especially risky when external data transmission and credential use are involved.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The cleanup logic is broader than the stated memory-protection purpose because it closes all non-Eastmoney tabs, not just excess target-site tabs. In an agent skill context, this can disrupt unrelated user work, terminate authenticated sessions, and interfere with other browser-based tasks without clear user consent.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation says the script keeps one Eastmoney tab and closes extra tabs, but the implementation also closes every non-Eastmoney tab. This mismatch is security-relevant because operators may approve or schedule the script under a narrower assumption, leading to broader destructive behavior than disclosed.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A live NocoDB API token is hardcoded directly in the script, exposing credentials to anyone with file access or repository access. An attacker could reuse the token to read, modify, or delete data in the referenced UAT table or potentially broader resources depending on token scope.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to provide a NocoDB API token and transmit scraped data to an external database, but it does not warn about credential sensitivity, token storage, or the privacy and security implications of outbound data transfer. This can lead to credential leakage, misuse of long-lived tokens, or unintentional exfiltration of collected data to third-party infrastructure.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The scheduled task instructs the agent to close 'all extra tabs' while only preserving one Eastmoney tab, but it does not define safe boundaries such as limiting actions to tabs opened by this skill, a dedicated browser profile, or a known window/session. In an automated cron context, this can cause unintended destructive actions against unrelated user or operator tabs, leading to workflow disruption and possible data loss from unsaved web state.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal