ClawHub

Stock Analysis CN

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill has a plausible purpose, but it can produce investment recommendations from placeholder data and includes under-scoped file, network, and credential guidance.

Review carefully before installing. Treat outputs as experimental research, not investment advice; do not provide session cookies or account credentials; run it only in a workspace where report writes and /tmp cache files are acceptable; and verify all financial data independently because parts of the implementation use placeholder or hardcoded values.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes capabilities that imply network access and file I/O, but no declared permissions are present. This creates a transparency and consent problem: users or hosting platforms may not realize the skill can fetch remote data and write reports to disk, increasing the risk of unexpected data transmission or filesystem modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented behavior does not fully match the described functionality: screening, local CSV reads, non-Word outputs, placeholder financial data, and simplified hardcoded valuation logic are not accurately disclosed. This is dangerous because users may make financial decisions based on incomplete or mocked analysis and may not expect local file access or the actual output format.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document states that the skill does not require personal login, yet it explicitly recommends authenticated access to Jisilu via browser automation or user-provided session cookies. That contradiction can mislead operators into collecting authentication material they otherwise would not expect to handle, increasing the risk of account compromise, session theft, and insecure credential handling.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The function advertises fetching financial statements but actually returns hardcoded mock data, which can cause the skill to generate materially false investment analysis while appearing data-driven. In a stock-analysis skill that produces investor-facing reports, this is dangerous because users may rely on fabricated financial inputs for financial decisions without any indication that the data is synthetic.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The module-level documentation claims live API-backed fundamental analysis and computation of multiple metrics, but the implementation does not perform those API calls or calculations. This creates a misleading trust signal about the accuracy and completeness of the analysis, increasing the risk that downstream users or agents treat incomplete placeholder output as real financial due diligence.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The CLI accepts an arbitrary --output path and writes the generated report directly to that location without restriction or confirmation. In an agent or automation context, this can be abused to overwrite unintended files or place content in sensitive locations, expanding the skill from analysis/report generation into filesystem modification.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This module presents itself as valuation analysis for stocks, but the implementation returns static placeholder data rather than fetching real market or financial inputs. In an investment-analysis skill, silently substituting fabricated valuations can mislead downstream reports and users into making financial decisions based on false data, which is a security/trustworthiness issue even without code execution.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The docstring claims analysis against historical percentiles, industry averages, and peer medians, but the implementation mostly uses simulated percentiles and static defaults. In a financial analysis skill, this mismatch can create a false sense of rigor and cause users or consuming agents to trust outputs that are not actually derived from the claimed methodology.

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
Although the docstring admits production should use real-time APIs, the function still emits concrete valuation conclusions from hardcoded demo values for both banks and generic stocks. This is dangerous because callers may treat the returned results as live analysis, especially since the function does not surface uncertainty or indicate that the numbers are synthetic.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill states that it fetches financial data from third-party sites, but does not clearly warn users that outbound network requests will occur. Even if the data is market data rather than secrets, silent external requests can leak usage patterns, queried tickers, IP address, and environment metadata to third parties.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The skill advertises automatic Markdown/Word report generation without an explicit notice that files may be written to disk. Undisclosed file creation can surprise users, overwrite existing artifacts, or leave sensitive analysis outputs on shared systems.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Suggesting that a user provide a live session cookie is dangerous because session cookies are authentication credentials that can be replayed to access the user's account. Without strong warnings and secure handling requirements, this normalizes credential sharing and can directly enable unauthorized account access or leakage through logs, prompts, or debugging artifacts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document presents concrete buy/sell-style trading signals such as golden cross and death cross without any warning that these are heuristics, can generate false signals, and may lead to financial loss. In the context of an automated stock-analysis skill that generates investment reports, this can be interpreted by users as actionable investment advice, increasing the risk of harmful reliance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The support/resistance section directly recommends actions like 'Buy near support, sell near resistance' and describes breakout/breakdown implications without any warning about uncertainty or possible losses. Because this skill is designed for A-share analysis and automatic Word investment report generation, the operational context makes these statements more likely to be treated as personalized or authoritative trading guidance.

Ssd 3

Medium
Confidence
95% confidence
Finding
A blanket instruction to log all external requests can capture sensitive data such as cookies, Authorization headers, query tokens, and other user-provided credentials. If logs are stored insecurely or shared for debugging, this can turn transient secrets into persistent compromise material and broaden the blast radius of any leak.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal