ClawHub
Back to skill

Security audit

Mx Select Stock

Security checks across malware telemetry and agentic risk

Overview

This skill is a stock-screening tool that uses an Eastmoney API key and saves local result files, with no evidence of hidden or unrelated behavior.

Install only if you trust the publisher and are comfortable sending stock-screening queries and your MX_APIKEY to Eastmoney’s API. Treat saved output files as potentially sensitive because they can reveal investment interests, and delete the CSV/TXT/JSON results when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares operational capabilities through its metadata and documentation—environment variable access, network use, and filesystem writes—but does not declare permissions explicitly. This creates a transparency and policy-enforcement gap: users or hosting platforms may not realize the skill can exfiltrate data via network access or modify local files, especially when an API key is present in the environment.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The skill states it will automatically create an output directory and write CSV/TXT files, but does not warn the user about these filesystem side effects at execution time. While this appears consistent with the skill's purpose, silent file creation can still surprise users, overwrite expectations about workspace contents, or leak sensitive query contents into predictable local files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal