ClawHub

A股股市盘前盘中盘后分析/china-stocks-daily-review

Security checks across malware telemetry and agentic risk

Overview

This market-report skill needs review because it enables recurring report delivery by default and can present hardcoded financial commentary as current data.

Install only if you want recurring A-share reports and are comfortable with automatic message delivery to linked channels. Before use, disable or confirm auto-push destinations, protect the Tushare token, and verify generated financial claims against live sources because some report content is hardcoded and should not be treated as current investment advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill's automation goes beyond generating a report in-session: it saves files into the workspace and pushes content to bound messaging endpoints. Persistent output and external delivery expand the attack surface by creating unintended data retention and exfiltration channels, especially if generated reports include user-linked preferences, schedules, or account-derived data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Default-on automatic push to external messaging channels is risky because it can transmit generated content outside the current execution boundary without granular consent each time. In a skill that gathers market data and may incorporate account-specific settings or locally stored information, automatic external delivery materially increases unintended disclosure risk.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill instructs running local Python scripts and shell-style commands for fetching and rendering, which is broader than a normal declarative report skill and can lead to arbitrary local execution in practice. Even if examples are intended as operational guidance, embedding them in the skill increases the chance that an agent or operator will execute them with local filesystem and network access.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill explicitly promises that missing data will be left blank and never fabricated, but later instructs hardcoding emotion data when serialization fails. That contradiction is dangerous because it enables silent falsification of analytical output, which is especially sensitive in a financial-reporting context where users may make decisions based on purportedly real market data.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The renderer hardcodes extensive market narratives, sentiment labels, strategy guidance, and fallback stock lists instead of leaving unavailable fields blank as the skill metadata promises. In a finance-reporting skill, this is dangerous because users may treat fabricated analysis as current, data-backed market intelligence and make trading decisions on false content.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module docstring claims the script simply fetches structured data and fills a template, but the implementation injects predetermined conclusions and recommendations far beyond templating. This mismatch is security-relevant because it conceals non-data-driven behavior, undermines operator trust, and makes downstream users believe the report is mechanically generated from fresh market data when it is not.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill enables automatic scheduled delivery immediately after installation and sends generated reports to linked messaging channels such as WeChat or WhatsApp. That is a real privacy and consent issue because users may not realize data will be transmitted off the chat surface by default, and market-related prompts, schedules, and generated content could be exposed to third-party messaging platforms without explicit opt-in.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Enabling scheduled automation and persistent report writing by default without clear up-front warning can surprise users with ongoing background behavior and stored artifacts. This creates consent, privacy, and operational risk because reports may continue being generated and delivered after initial installation without explicit acknowledgment of those side effects.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal