ClawHub

fund-daily

Security checks across malware telemetry and agentic risk

Overview

This fund-report skill mostly matches its purpose, but it can send reports to a hardcoded Telegram recipient and depends on an unbundled local script, so users should review it before installing.

Do not run or schedule this skill as-is. First remove and rotate the embedded Telegram token, replace the chat ID with your own destination, confirm Telegram sending is desired, and review or remove the hardcoded dependency on the external news-market script. The behavior does not show clear malicious intent, but the default credentials and recurring outbound report delivery make it a Review item.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""获取财经新闻(使用 news-market 技能)"""
    try:
        script_path = r"C:\Users\ZhuanZ\.openclaw\workspace\skills\news-market\scripts\news_market.py"
        result = subprocess.run(
            ['python', script_path, 'category', '--cat', 'securities', '--limit', str(limit)],
            capture_output=True,
            text=True,
Confidence
93% confidence
Finding
result = subprocess.run( ['python', script_path, 'category', '--cat', 'securities', '--limit', str(limit)], capture_output=True, text=True, time

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation declares no permissions while the described workflow and linked code capabilities imply outbound network access and scheduled execution via shell/task schedulers. Missing permission disclosure is dangerous because users may install or enable the skill without understanding that it can contact external services and automate execution, reducing informed consent and review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose understates several materially sensitive behaviors: automatic Telegram delivery, hardcoded credential usage, subprocess invocation of an external script from a fixed path, and writing files to fixed local directories. This mismatch is dangerous because it can hide data exfiltration paths, unexpected local code execution, and persistence-like behavior behind a seemingly simple reporting skill.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill executes another local skill script, expanding its effective capability beyond the reviewed file and creating a trust boundary bypass. In this context, a fund-reporting skill should not implicitly inherit arbitrary behavior from another script without transparency and integrity controls, because the external script could be altered to run malicious code or exfiltrate data.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code hardcodes a Telegram bot token and chat ID, giving the script built-in authority to send data to an external recipient. In a scheduled reporting skill, this is especially risky because anyone with code access can reuse the token, impersonate the bot, and exfiltrate information without further authorization.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill supports automatic daily Telegram sending, but the description does not prominently warn users that reports will be transmitted externally on a schedule. This is dangerous because financial holdings and related report content may be sent without the user fully realizing there is recurring outbound sharing.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded Telegram bot token is a live credential embedded directly in source code. Exposure of this token allows unauthorized parties to control the bot, send messages/files as the bot, and potentially access bot-related data, making this a clear secret leakage issue.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The generated Word report is automatically transmitted to Telegram without any user confirmation or clear warning at send time. Even if the intended content is financial reporting, automatic external file transfer increases data leakage risk, especially in a scheduled task that may run unattended and could later include sensitive portfolio details or other local content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal