Back to skill

Security audit

A 股投资决策助手

Security checks across malware telemetry and agentic risk

Overview

This stock-report skill is mostly purpose-aligned, but it runs an unbundled local Python helper while handling sensitive portfolio data.

Review before installing. Inspect ~/.openclaw/workspace/shared_memory_loader.py because this skill imports and executes it at startup. Only run it if you are comfortable with stock symbols being queried through qt.gtimg.cn and with portfolio reports being saved locally under ~/.openclaw/decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises operational capabilities that imply network access and file writing, but it declares no permissions or trust boundaries. That creates a transparency and consent problem: users and the platform cannot accurately assess what the skill may access or modify before execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose focuses on reading holdings and generating decisions, but the detected behavior extends to external network calls and local file creation. This mismatch is dangerous because it obscures actual data flows and side effects, increasing the risk of unauthorized transmission of portfolio data or silent persistence of sensitive outputs.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill metadata says it reads shared memory to generate a report, but the implementation also makes outbound HTTP requests to a live market data endpoint. This creates an undeclared network dependency and causes data to leave the local environment, which matters in agent systems that rely on least-privilege and accurate capability descriptions for safe execution.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill description implies in-memory/shared-memory analysis and report generation, but the code also writes reports to disk under the user's home directory. Undisclosed persistence can expose sensitive portfolio information to other local processes or future runs and breaks the expected data-handling boundary of the skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly instructs users to configure a Feishu webhook while the skill also reads portfolio holdings from shared memory, but it provides no privacy notice, data-flow explanation, or warning that sensitive financial information may be transmitted externally. In an investment-decision skill, holdings, cost basis, and trading actions are sensitive data, so silent or poorly disclosed outbound notification behavior creates a real confidentiality risk.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill states that it reads shared memory and fetches real-time market data, but it does not warn users that portfolio-related information may be accessed and combined with external services. In an investment context, holdings data is sensitive and can reveal financial positions, so undisclosed access and transmission materially increase privacy and security risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Documenting a Feishu webhook without warning that notifications may include investment decisions or holdings data creates a real third-party exfiltration risk. In this context, alerts may contain sensitive financial information, and users may configure the webhook without understanding that such data could be transmitted outside their control boundary.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.