ClawHub

Stock Analysis Skill

Security checks across malware telemetry and agentic risk

Overview

This is a stock-analysis skill with expected market-data and news API use, but users should understand that stock symbols may be sent to external providers.

Install only in a virtual environment, review or pin the Python dependencies, and configure only the API keys you need. Do not treat the generated buy/sell/hold output as financial advice, and assume analyzed stock symbols or watchlists may be sent to external data and news providers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The AlphaVantageDataSource class contains multiple overwritten get_quote/get_history methods that actually implement efinance and Tushare behavior, so earlier methods are silently replaced at class definition time. This can route requests to the wrong provider, break expected authentication and data-handling assumptions, and cause security/privacy controls or audit logic tied to a specific provider class to be bypassed.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly promotes third-party integrations and API key setup, but it does not clearly disclose that user-provided stock symbols, watchlists, or news-related queries may be transmitted to external services such as Yahoo Finance, Alpha Vantage, or Tavily. In an agent skill context, this is a real transparency and privacy issue because users may assume analysis happens locally and may unknowingly send portfolio interests or research activity to outside providers.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly relies on third-party APIs for news and market data, but the documentation does not clearly warn users that stock tickers, watchlists, and related query context may be sent to external providers. This creates a real privacy and transparency issue because a user's investment interests can be sensitive and may be disclosed without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises scheduled daily analysis and built-in messaging notifications, but does not clearly warn users that it may perform recurring automated activity and send outbound notifications on an ongoing basis. That omission can lead to unexpected background execution, data egress, message spam, or unwanted operational side effects.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The documentation shows output in Chinese without offering language selection or explaining a locale restriction, which can cause users to misunderstand recommendations, warnings, or financial outputs. In a skill that produces actionable analysis, language ambiguity can degrade safe use and informed decision-making.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal