ClawHub
Back to skill

Security audit

Tianji Data

Security checks across malware telemetry and agentic risk

Overview

The market-data functions are mostly coherent, but the skill also includes under-disclosed monitoring and Feishu notification code with a hard-coded recipient and unsafe dynamic Python execution.

Install only if you are comfortable with public market-data network requests and local storage under /workspace/data/tianji-system. Before running or scheduling market_watcher.py, remove or rewrite the Feishu push helper, make any recipient configurable, add explicit consent before outbound messages, and replace the dynamic python3 -c call with a safe in-process or data-only API call.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
from message_tool import message
        # 动态导入(避免循环依赖)
        import subprocess
        result = subprocess.run(
            ['python3', '-c',
             f'from tools import message; message(action="send", channel="feishu", target="user:ou_fd61d5ebc9af22913aa4c21c8e3cac14", message="{alert_msg}")'],
            capture_output=True, text=True, timeout=15,
Confidence
95% confidence
Finding
result = subprocess.run( ['python3', '-c', f'from tools import message; message(action="send", channel="feishu", target="user:ou_fd61d5ebc9af22913aa4c21c8e3cac14", mes

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documents capabilities that imply network access, local file writes, and likely shell/subprocess usage, yet it declares no permissions. This creates a trust and enforcement gap: a host may expose the skill more broadly than users expect, and reviewers cannot accurately assess or sandbox its behavior from the manifest alone.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The stated description presents the skill as a generic data/search reference, but the content indicates operational behavior: real-time market retrieval, alerting, persistence, and message sending. This mismatch is dangerous because it can conceal sensitive capabilities from users and platform policy, increasing the chance the skill is invoked in contexts where network, storage, or outbound notifications were not anticipated.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
This file implements persistent alert queuing and targeted outbound notification behavior that is materially different from the manifest's stated generic data/search purpose. Capability mismatches are dangerous because they hide side effects from users and reviewers, enabling undisclosed surveillance or messaging behavior under a less suspicious description.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The skill contains subprocess-based outbound Feishu messaging despite being presented as a data/search skill. Hidden outbound communication increases risk because the skill can exfiltrate derived data or generate unsolicited messages to a hardcoded recipient without clear authorization or user awareness.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger words are extremely broad, including generic terms like 'search', 'skill', '优化', '数据', and 'data', which can cause accidental invocation in unrelated conversations. When a skill has network and file capabilities, overbroad activation increases the attack surface by letting ordinary user phrasing trigger data collection or other side effects unexpectedly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code sends Feishu messages to a hardcoded user target without any user-facing disclosure, confirmation, or visible consent flow. Silent outbound messaging can leak sensitive trading signals or operational data and creates a covert-action channel inside a skill that appears informational.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal