ClawHub

看盘之眼

Security checks across malware telemetry and agentic risk

Overview

This looks like a stock-chart OCR helper, but it needs Review because it can control a live trading window, capture financial screenshots, and send images to cloud OCR services with weak scoping.

Install only if you are comfortable with a Windows skill that can focus and type into a trading app, take screenshots, save them locally, and use cloud OCR. Prefer local OCR, remove or rotate embedded credentials, verify the exact target window before running it, and avoid using it while unrelated sensitive windows are visible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (90)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
Write-Output $foundTitle
}}
'''
    result = subprocess.run(
        ['powershell', '-Command', ps_script],
        capture_output=True,
        text=True,
Confidence
91% confidence
Finding
result = subprocess.run( ['powershell', '-Command', ps_script], capture_output=True, text=True, encoding='utf-8' )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
Write-Output "OK"
'''
    result = subprocess.run(
        ['powershell', '-Command', ps_script],
        capture_output=True,
        text=True,
Confidence
88% confidence
Finding
result = subprocess.run( ['powershell', '-Command', ps_script], capture_output=True, text=True, encoding='utf-8' )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
Remove-Item $jpegPath -ErrorAction SilentlyContinue
'''
    
    result = subprocess.run(
        ['powershell', '-Command', ps_script],
        capture_output=True,
        text=True,
Confidence
80% confidence
Finding
result = subprocess.run( ['powershell', '-Command', ps_script], capture_output=True, text=True, encoding='utf-8', timeout=120 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
'''.format(width, height, abs_left, abs_top, output_path.replace(os.sep, '/'))
    
    try:
        result = subprocess.run(
            ['powershell', '-Command', ps_script],
            capture_output=True,
            text=True,
Confidence
84% confidence
Finding
result = subprocess.run( ['powershell', '-Command', ps_script], capture_output=True, text=True, timeout=10 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_command(cmd, check=True):
    """运行命令并返回结果"""
    try:
        result = subprocess.run(
            cmd,
            shell=True,
            capture_output=True,
Confidence
95% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, encoding='utf-8' )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
'''

# 运行PowerShell
result = subprocess.run(
    ['powershell', '-Command', ps_script],
    capture_output=True,
    text=True,
Confidence
93% confidence
Finding
result = subprocess.run( ['powershell', '-Command', ps_script], capture_output=True, text=True, encoding='utf-8' )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        # 执行PowerShell脚本
        result = subprocess.run(
            ['powershell', '-ExecutionPolicy', 'Bypass', '-File', ps_file],
            capture_output=True,
            text=True,
Confidence
90% confidence
Finding
result = subprocess.run( ['powershell', '-ExecutionPolicy', 'Bypass', '-File', ps_file], capture_output=True, text=True, encoding='utf-8',

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f.write(ps_cmd)
            ps_file = f.name
        
        result = subprocess.run(
            ['powershell', '-ExecutionPolicy', 'Bypass', '-File', ps_file],
            capture_output=True,
            text=True,
Confidence
90% confidence
Finding
result = subprocess.run( ['powershell', '-ExecutionPolicy', 'Bypass', '-File', ps_file], capture_output=True, text=True, encoding='utf-8',

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation indicates capabilities to read/write files, access environment variables, invoke shell commands, and use networked OCR services, yet no permissions are explicitly declared. This creates a transparency and consent problem: operators may invoke a skill that exfiltrates screenshots or uses broader host capabilities than expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The stated purpose is narrowly framed as extracting MA values from a specific trading terminal, but the documentation also supports enumerating all visible windows, operating against different window titles, and sending images to external OCR providers using embedded credentials. That mismatch is dangerous because it hides materially broader collection and automation behavior than users would reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill promotes external cloud OCR even though the core use case appears to be local screenshot capture and text extraction. Sending screenshots of a live desktop trading application to third-party services can expose sensitive financial or personal information beyond what the user expects.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The skill claims to target '通达信金融终端' but elsewhere defaults to '金长江' windows and gives instructions for automating that software. Inconsistent targeting increases the chance of operating on the wrong application window, causing unintended desktop control or capture of unrelated sensitive content.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script uploads screenshots of a live trading window to a third-party OCR service, but the skill description does not disclose any external transmission. Trading screenshots can contain sensitive financial data, account information, or other on-screen content, so undisclosed exfiltration to an external service materially increases privacy and data leakage risk.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script does more than passively capture a screenshot: it forcibly brings an external trading window to the foreground and injects keystrokes to change application state, including clearing input, entering a stock code, and switching chart modes. In a financial terminal context, unsolicited UI automation is security-relevant because it can affect the user's active session, act on the wrong window if title matching is imprecise, and create a path for unintended or unauthorized interaction beyond OCR.

Context-Inappropriate Capability

Low
Confidence
79% confidence
Finding
Enumerating all visible window titles exposes information about other applications and documents open on the desktop, which may include sensitive names or workflow details unrelated to the stock OCR task. While not directly destructive, this is an unnecessary discovery capability that broadens access to user environment metadata and can assist mis-targeting or reconnaissance.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
Enumerating and printing all visible window titles exposes unrelated desktop/application metadata that is not necessary for MA/OCR extraction. Window titles often contain document names, account identifiers, chat previews, or sensitive operational context, so this expands data access beyond the stated purpose.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill injects synthetic keyboard input into the active desktop session without binding input to a verified target window. If the wrong window has focus, it can trigger unintended actions such as sending messages, altering orders, dismissing dialogs, or interacting with sensitive applications.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Desktop-wide window enumeration is an unnecessary inspection capability for the stated task of capturing a stock chart and extracting MA values. In the skill context, this overbroad visibility increases privacy risk because it can reveal unrelated application usage and sensitive titles.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says it operates on 通达信 screenshots, but the code actually searches for and manipulates a different trading client window titled “金长江”. This mismatch is security-relevant because users may grant trust based on the stated scope while the code targets a different application and its on-screen data.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The description presents the tool as OCR over screenshots, but the code also sends synthetic keystrokes to a foreground trading application to change symbols and chart modes. Hidden UI automation is more dangerous than passive OCR because it can alter application state, interfere with user actions, and create opportunities for unintended interaction with sensitive software.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script hardcodes Baidu OCR credentials and sends local screenshot data to an external cloud OCR service. In the context of a skill described as screenshot/OCR for a local trading terminal, this creates a significant confidentiality and supply-chain risk because sensitive trading data may leave the host without explicit, documented consent.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill captures part of a live trading terminal window and transmits the image to a third-party OCR API, despite the skill description implying local screenshot OCR. This creates an undisclosed data exfiltration path for potentially sensitive financial data, account identifiers, watchlists, or proprietary trading context visible in the screenshot.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code embeds a hardcoded OCR.space API key and couples the skill to an external service without clear justification or user awareness. Hardcoded credentials are easy to leak, misuse, or rotate poorly, and they normalize hidden third-party dependencies in a tool processing sensitive screenshots.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill presents itself as OCR for local stock-chart screenshots, but it actually uploads captured chart images to the external OCR.space service. This is a material data-flow mismatch that can expose potentially sensitive trading information, account context, or workstation screen content without clear user awareness.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script captures part of a trading application window and sends the image to a third-party OCR service over the network. This creates a real data-exfiltration/privacy risk because screenshots may contain holdings, account data, watchlists, or other sensitive trading information, and the external transmission is not clearly disclosed in the skill description or gated by explicit consent.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal