ClawHub

mapulse-korea

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real finance Telegram bot, but it combines payments, profiling, broadcasts, third-party AI/data sharing, deleted-tweet access, and advice-like prompts without enough clear user control or disclosure.

Review this before installing as a high-impact finance bot, not just a stock-analysis helper. Require clear privacy terms, opt-in controls for AI processing and notifications, deletion/export commands, payment/referral security review, removal or restriction of deleted-tweet access, and prompt changes that avoid trading advice. Do not deploy it to real users until data retention, consent, broadcast controls, and financial-compliance boundaries are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (25)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The bot synchronizes and stores Telegram user metadata and avatar file IDs in its database on every interaction, even though this functionality is not necessary for answering stock-analysis queries. This creates unnecessary personal-data collection and retention risk; if the database is breached or reused, users' identities and profile linkage can be exposed beyond the bot's stated purpose.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The architecture documents payment processing, stored balances, checkout flows, referrals, and transaction tracking that materially expand the skill beyond a simple market-analysis bot. This is dangerous because users and reviewers may authorize or trust the skill under incomplete expectations, while the implementation handles money movement and incentive mechanics that require stronger disclosure, validation, and abuse controls.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The command list and cron/infrastructure sections reinforce that the skill operates as a monetized payment and referral platform, not just a stock-analysis assistant. Hidden scope expansion is risky because it increases the attack surface for financial abuse, social engineering, and unauthorized user expectations without corresponding disclosure in the manifest.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documented OpenTwitter endpoint explicitly supports tweet search, KOL tracking, and deleted-tweet access, which goes beyond ordinary market-data retrieval and introduces surveillance/privacy-risk functionality. In a market-analysis bot, this capability can be used to monitor individuals or retain content users may expect to be gone, creating misuse and compliance risk even if no exploit code is present here.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The file stores and reuses per-user conversation context via `resolve_from_context` and `update_context`, including query text and a truncated response. For a stock query bot, persistent user-level tracking is not strictly necessary for core functionality and increases privacy risk if logs or context stores are exposed, especially because queries can contain sensitive investment interests or behavioral data.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The `_shorten_url` helper sends article URLs to the third-party service `is.gd` for shortening. This leaks users' viewed destinations and the bot's outbound link set to an external party, and can reduce transparency by obscuring final destinations in a finance/news context where link trust matters.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The module persistently stores per-user language preference, interested tickers, sector interests, and query history in SQLite without any visible consent, retention control, or access restriction in this file. This creates unnecessary user profiling and increases the blast radius if the local database is accessed by other components or compromised.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The crash-analysis prompt explicitly asks the model to help determine whether a sharp drop is a buying opportunity, which conflicts with the file's own prohibition on buy/sell advice. In a financial bot, this can generate quasi-personalized trading guidance despite the disclaimer layer, creating compliance and user-harm risk if users act on the output.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documented behavior says direct questions should bypass onboarding, but the implementation still parses the message and silently adds inferred tickers to the user's watchlist before marking onboarding complete. In a finance bot, this creates unauthorized state changes from ambiguous natural-language input, which can alter future alerts, recommendations, and stored user preferences without explicit consent.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The file claims a compliance design that avoids judging correctness or presenting predictive accuracy, but the implementation computes continuation/reversal rates and sentiment-versus-actual outcome statistics. In a financial alerting bot, these retrospective metrics can functionally communicate signal efficacy and may be interpreted by users or regulators as performance claims, creating compliance and misrepresentation risk even if phrased as 'facts'.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The module exposes a deleted-tweets retrieval capability that is not necessary for a stock/market monitoring bot and expands surveillance functionality beyond the stated purpose. In this context, unnecessary collection of deleted content increases privacy, compliance, and abuse risk if the skill is used to monitor individuals rather than public market signals.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises Telegram bot interactions and optional AI analysis via OpenRouter/Anthropic, but it does not disclose that user prompts and possibly market-related queries may be sent to third-party platforms for processing. This creates a real privacy and informed-consent issue because users may share sensitive watchlists, investment interests, or group messages without understanding the external data flow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The persistence section mentions storing Telegram user records, watchlists, alerts, and profiles, but the skill description does not present a clear privacy warning or consent notice about collecting user data and sending scheduled messages. In a Telegram bot context, this increases the risk of silent data retention and unexpected outbound contact, especially for users who believe they are only making one-off queries.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code silently calls Telegram APIs to fetch users' profile photos and persists the resulting file IDs without any user-facing notice in this file. Undisclosed collection of profile imagery-related identifiers is a privacy issue and can violate user expectations or platform/privacy-policy requirements, especially for a finance-oriented bot where users may assume only query text is processed.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The overview states that user queries are handled by LLMs and multiple external market-data providers, but it does not clearly warn that user messages and related context may be transmitted to third-party services such as OpenRouter and finance APIs. This creates privacy and compliance risk because users may disclose sensitive financial interests or personal data without informed consent.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The push, survey, tracking, and metrics features describe storing engagement, notification, and user-profiling data without a prominent warning to users. In a finance-oriented bot, this is especially sensitive because behavior, preferences, and watchlists can reveal investment interests and habits that merit explicit notice and tighter handling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs use of bearer-token protected endpoints but provides no guidance on secret storage, redaction, rotation, or privacy handling. This commonly leads to hardcoded tokens, token leakage in logs/docs, and unreviewed transmission of sensitive query data to third parties.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill makes many outbound HTTP requests and forwards user-derived content to LLM/network-backed functions such as `call_llm`, `chat_response`, and external news/data fetchers without any clear disclosure in this file. User questions may contain sensitive financial interests or personal data, so silent transmission to external services creates privacy and data-governance risk.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
Defaulting to Chinese when no language can be detected may surprise users and can lead to responses in an unintended language without explicit preference or consent. While not a classic security flaw, it is a privacy and UX policy issue because it silently infers and applies a language choice.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code appends AI analysis by sending user query text and market data to Anthropic/OpenRouter without any disclosure or consent at the call site. Because user queries may contain personally revealing investment interests or other sensitive text, undisclosed third-party transmission creates a real privacy exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function stores truncated user queries, timestamps, detected language, and inferred interests in persistent storage without any notice or choice. Persistent retention of behavioral data can enable profiling and creates avoidable sensitivity if the database is later exposed or reused beyond the user's expectation.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The script enumerates all users and later sends unsolicited platform-wide messages to each of them with no consent check, per-user opt-out, or safety gate before mass delivery. In a Telegram bot handling market content, this can become abusive messaging, regulatory/compliance exposure, and broad-impact misuse if triggered accidentally or by an unauthorized operator.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
User queries, chat history, stock identifiers, and assembled market context are sent to a third-party LLM provider, but this file contains no visible consent gate, minimization, or disclosure before transmission. For a finance-focused assistant, those prompts may contain sensitive portfolio interests or behavioral signals that users may not expect to leave the service boundary.

Ssd 4

Medium
Confidence
89% confidence
Finding
The briefing prompt asks for specific 'action guide' output with price levels and conditions for significantly moving stocks, which nudges the model toward actionable trading-style guidance even while claiming not to give investment advice. In context, this can materially increase the chance of users receiving advice-like output that influences trades.

Ssd 4

Medium
Confidence
95% confidence
Finding
The crash-analysis prompt specifically steers the model to assess whether a decline is a buying opportunity, which is especially risky during volatile events when users are likely to act quickly. In a stock-analysis bot, this makes the model more likely to cross from analysis into tacit trading advice at exactly the highest-risk moment.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal