ClawHub

Market Morning Brief

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real market-brief tool, but it needs review because it can send sensitive trading briefs to a Slack webhook and its dry-run controls do not reliably prevent side effects.

Review before installing. Do not set OPENCLAW_SLACK_WEBHOOK unless you intentionally want full morning briefs, including trading positions and P&L, sent to that Slack destination; do not rely on morning --dry-run while that variable is set. Use least-privileged read-only trading API credentials, review the evening news history stored under ~/.openclaw/state, and verify or disable the Kalshalyst scorecard path if you do not want this skill importing sibling skill code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Tainted flow: 'req' from os.environ.get (line 208, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
try:
        data = json.dumps({"text": message}).encode("utf-8")
        req = urllib.request.Request(webhook_url, data=data, headers={"Content-Type": "application/json"})
        urllib.request.urlopen(req, timeout=10)
    except Exception:
        pass
Confidence
97% confidence
Finding
urllib.request.urlopen(req, timeout=10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation describes capabilities that use environment/config values, shell commands, network access, and persistent file writes, yet no explicit permissions are declared. This creates a transparency and consent problem: users or orchestrators may approve the skill assuming it is read-only when it can actually reach external services and modify local state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
A description-behavior mismatch is security-relevant because the skill is presented as a local digest generator, while analysis indicates it can also send data to a Slack webhook and test outbound notifications. Hidden outbound delivery changes the trust boundary and can exfiltrate portfolio, market, or system-derived data to third-party endpoints without clear user expectation.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The documentation claims resilience via cache-file reads rather than live APIs, but elsewhere documents direct API/news lookups and history persistence. This inconsistency can mislead users and reviewers about actual data flows, causing underestimation of privacy exposure, network reachability, and local state changes.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The header claims the tool outputs plain text to stdout, but normal execution also sends the generated digest to Slack. That mismatch is security-relevant because users may believe the tool is local-only when it actually performs external transmission of potentially sensitive trading data.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Slack notification support is not required to generate a local morning brief, yet the code includes a hidden outbound channel that can send the entire brief off-host. In the context of a trading-intelligence skill, that is more dangerous because the output may include sensitive portfolio, edge, and signal data valuable to third parties.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The --dry-run flag promises 'Don't send, just print' but the program still calls the Slack notification routine unconditionally after printing the brief. This breaks a user safety control and can cause unintended disclosure of confidential market and portfolio data even when the user explicitly requested no sending.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill accesses external news/search services, local LLM tooling, market APIs, and stores a rolling history file, but does not clearly warn users about what information may leave the host or persist locally. In a finance-related context, even metadata about watched topics, schedules, and generated brief content can be sensitive and should be disclosed.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The script sends article content and topic context to third-party or local services (DuckDuckGo news search and Ollama/Qwen) without any explicit consent, warning, or privacy boundary. In a trading workflow, searched topics and selected articles can reveal user interests, strategy areas, or sensitive market focus, creating avoidable data-exposure risk.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The code persistently stores a rolling history of sent news summaries under the user's home directory without an explicit warning or retention consent. In this skill context, that history can disclose trading interests, monitoring habits, and topical focus to other local users, backup systems, or forensic review if the machine is shared or compromised.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When all parsing strategies fail, the function logs a slice of the raw input text. In this skill, the parser is designed for LLM/Ollama/Qwen responses, which may contain sensitive user data, prompts, market positions, API-returned content, or system context; logging that content can leak secrets or private data into application logs where retention and access controls are often broader than the original data path.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Normal execution sends the brief to Slack without any user-facing warning, confirmation, or explicit send action. Silent transmission is especially risky here because the generated content aggregates potentially sensitive trading positions, signals, and analytics that users may reasonably expect to remain local.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal