Back to skill

Security audit

功夫财经

Security checks across malware telemetry and agentic risk

Overview

This finance skill is mostly coherent, but it deserves review because it can change authenticated account data, store an API key locally, use a configurable external search endpoint, and ask the agent to apply updates via shell command.

Install only if you trust kungfu-trader and the Tianshan API with your OpenKey and finance queries. Do not enable the optional research search endpoint unless you control or trust that provider, and approve any skill update command manually before it runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The README claims the outbound API host list is complete, but later sections document additional destinations for update checks and an optional user-configured search endpoint. This kind of documentation inconsistency can mislead reviewers and operators about the actual network trust boundary, causing unexpected data egress or incomplete approval decisions.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The trust note states that all outbound endpoints are listed and that no other hosts are contacted, yet the README later acknowledges additional hosts for update checks and optional search. False or overbroad trust assertions reduce transparency and can cause users to approve a skill under inaccurate assumptions about external communications.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to execute a shell update command returned by a remote check-update workflow. Even though the command is framed as a maintenance action, it is outside the core stock-analysis purpose and creates a supply-chain/command-execution path where remote content can influence local shell behavior.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill includes a credential configuration flow that accepts an OpenKey and persists it to ~/.openclaw/.env. Persistent secret handling materially expands the trust boundary beyond passive stock analysis and creates risk of credential capture, misuse, or later exposure through file access, logs, or other skills.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document claims it does not provide specific trading instructions, but later includes directional phrases such as '逢低值得重点关注', '等待回调', and '不宜追高', which function as actionable entry-timing guidance. In an investment-analysis skill, this contradiction can mislead downstream agents or users into treating the output as de facto trading advice while bypassing safeguards intended to exclude execution guidance.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The runtime allows an arbitrary externally configured research-search endpoint, which can redirect outbound requests to untrusted infrastructure. In a finance-analysis skill, this increases the chance of data exfiltration, SSRF-like misuse of the agent's network privileges, or silent routing of sensitive prompts/results and API keys to attacker-controlled services if deployment configuration is compromised.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This flow exposes state-changing operations (`add` and `delete`) for subscription/watchlist management, while the skill description emphasizes analysis and research functionality. That mismatch can mislead users or higher-level orchestration into granting broader permissions than expected, enabling unintended modification of a user's account state if the flow is invoked directly or indirectly.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The skill content is written entirely in Chinese and embeds mandatory Chinese-language output structures, which effectively forces a locale/language choice without explicit user opt-in. This can cause the agent to ignore the user's preferred language, degrade comprehension of financial risk information, and increase the chance of user error in high-stakes investing contexts.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
This skill hard-codes Chinese-language output and workflow text across the entire module without offering a language-selection mechanism or clearly documenting that Chinese is a strict operational requirement. In an agent setting, forced output language can cause user misunderstanding, reduce reviewability by non-Chinese-speaking operators, and impair oversight of financial-analysis results, which is a meaningful safety and usability risk even if it is not directly code-execution related.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code sends flow, target_date, subject, and queries to a configurable external endpoint using a bearer token, with no validation of destination trust, data minimization, or consent mechanism visible in this component. In a research tool, those fields can contain sensitive analyst prompts, proprietary watchlists, or trading research context, so misconfiguration or unexpected provider use could leak confidential information outside the skill boundary.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.