ClawHub

股票持仓分析大师

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real portfolio web app, but it exposes sensitive portfolio and LLM-key controls too broadly for safe default installation.

Install only if you are prepared to run it locally and harden it first. Bind the server to 127.0.0.1, restrict CORS, add authentication, protect portfolio.db/logs/reports, avoid entering valuable LLM API keys until key handling is fixed, and assume AI analysis may send portfolio details to the configured provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no permissions while its documented behavior clearly includes network access and persistent file/database/report writing. This creates a transparency and consent gap: a host may invoke the skill without understanding that it can open a server, write local data, and transmit portfolio information over HTTP.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This code introduces a generic LLM provider configuration system with arbitrary model types, endpoints, and credentials, which materially expands the skill beyond portfolio analysis into a reusable outbound AI integration layer. That scope expansion is dangerous because it enables undisclosed data flows and makes it easier to repurpose the skill to send sensitive financial data to third-party services.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code sends user prompts and stock/portfolio analysis content to external LLM providers, but this external transmission is not clearly disclosed by the skill metadata. In a financial context, undisclosed sharing of holdings, prices, and analysis inputs can expose sensitive investment information to third parties and violate user expectations or policy requirements.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The update function accepts and stores arbitrary api_url, api_key, and api_id values, creating a generic mechanism to route prompts and secrets to attacker-controlled endpoints. In a portfolio-analysis skill, this is especially risky because financial data could be silently exfiltrated to untrusted infrastructure under the guise of model configuration.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code logs full request headers and serialized request payloads for MiniMax calls, which can include bearer tokens and sensitive user prompts containing portfolio details. Log exposure often becomes secondary exfiltration: anyone with log access can recover API credentials and private financial data without needing direct access to the application database or runtime traffic.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file exposes generic LLM configuration and stock-analysis endpoints that extend beyond basic portfolio management and create a new capability surface for outbound model calls. This increases attack surface and enables data egress or misuse of external AI services without clear access controls or scope justification.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The POST /api/llm/config route allows runtime modification of api_url, api_key, model selection, and enablement, which can redirect sensitive prompts and portfolio data to attacker-controlled infrastructure. In a service exposed on 0.0.0.0 with CORS enabled and no visible authentication, this is a serious configuration-tampering and data-exfiltration risk.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The portfolio UI includes an LLM configuration panel and AI-analysis workflow that are outside the core portfolio-management function described by the skill metadata. Expanding scope to include model endpoint and credential handling increases attack surface and enables sensitive-data processing paths that are not justified by the stated business need.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The frontend presents fields for model API URL, API key, and API ID, meaning the browser is used to collect highly sensitive external-service credentials. In a portfolio app, exposing credential entry and management in the client creates unnecessary risk of theft through XSS, browser compromise, shoulder surfing, or unauthorized access to the page.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The client fetches existing LLM configuration and writes the stored API key back into the browser DOM, exposing a reusable secret to any user with page access and to any malicious script running in the origin. This turns a server-side secret into a client-side secret, defeating confidentiality controls and making key exfiltration straightforward.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation encourages starting a server on 0.0.0.0 and describes deletion/export operations without warning or confirmation requirements. In context, this is dangerous because portfolio data is sensitive financial information, and exposing the service on all interfaces can make modification, deletion, or data export reachable beyond the local machine if deployed carelessly.

Missing User Warnings

High
Confidence
99% confidence
Finding
Logging the request headers and payload without masking directly exposes authentication material and user-supplied content. Because this skill handles financial analysis, those logs may contain especially sensitive holdings and trading context, increasing privacy and credential-compromise risk.

Missing User Warnings

High
Confidence
96% confidence
Finding
This request transmits stock-analysis prompts to an external provider, and elsewhere the prompt includes detailed holdings and P&L information. Sending private portfolio data to third-party APIs without clear notice or consent is dangerous because it exposes sensitive financial behavior and account context outside the application's trust boundary.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code path accepts and updates LLM credentials from API requests without any visible disclosure, approval flow, or administrative safeguard. That makes secret handling unsafe and can lead to accidental exposure, unauthorized key replacement, or silent redirection of paid usage and sensitive data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The stock-analysis flow builds a prompt containing portfolio holdings, cost basis, profit/loss, and detailed market data, then sends it to an external LLM service. Without visible consent, disclosure, or data-minimization controls, users may unknowingly transmit sensitive financial information to third parties.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The UI retrieves and displays stored API credentials without any warning, masking strategy, or justification, which normalizes insecure handling of secrets and increases the chance of accidental disclosure. Although this overlaps with the direct secret exposure issue, the absence of user-facing safeguards further raises the likelihood of misuse and leakage.

Unpinned Dependencies

Low
Category
Supply Chain
Content
flask>=2.0.0
flask-cors>=3.0.0
requests>=2.25.0
flask-sock>=0.4.0
Confidence
96% confidence
Finding
flask>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
flask>=2.0.0
flask-cors>=3.0.0
requests>=2.25.0
flask-sock>=0.4.0
markdown>=3.3.0
Confidence
96% confidence
Finding
flask-cors>=3.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
flask>=2.0.0
flask-cors>=3.0.0
requests>=2.25.0
flask-sock>=0.4.0
markdown>=3.3.0
Confidence
96% confidence
Finding
requests>=2.25.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
flask>=2.0.0
flask-cors>=3.0.0
requests>=2.25.0
flask-sock>=0.4.0
markdown>=3.3.0
Confidence
94% confidence
Finding
flask-sock>=0.4.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
flask-cors>=3.0.0
requests>=2.25.0
flask-sock>=0.4.0
markdown>=3.3.0
Confidence
95% confidence
Finding
markdown>=3.3.0

Known Vulnerable Dependency: flask — 8 advisory(ies): CVE-2025-47278 (Flask uses fallback key instead of current signing key); CVE-2018-1000656 (Flask is vulnerable to Denial of Service via incorrect encoding of JSON data); CVE-2019-1010083 (Pallets Project Flask is vulnerable to Denial of Service via Unexpected memory u) +5 more

High
Category
Supply Chain
Confidence
89% confidence
Finding
flask

Known Vulnerable Dependency: flask-cors — 10 advisory(ies): CVE-2024-6866 (Flask-CORS vulnerable to Improper Handling of Case Sensitivity); CVE-2024-6839 (Flask-CORS improper regex path matching vulnerability); CVE-2024-1681 (flask-cors vulnerable to log injection when the log level is set to debug) +7 more

High
Category
Supply Chain
Confidence
91% confidence
Finding
flask-cors

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
92% confidence
Finding
requests

Known Vulnerable Dependency: markdown — 2 advisory(ies): CVE-2025-69534 (Python-Markdown has an Uncaught Exception); CVE-2025-69534 (Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like se)

High
Category
Supply Chain
Confidence
84% confidence
Finding
markdown

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal