ClawHub

Wework Financial Daily

Security checks across malware telemetry and agentic risk

Overview

This skill does generate and send a daily financial teaching report, but it also hardcodes credentials, publishes reports to a public external storage service, and recommends elevated scheduled execution.

Install only after review and modification. Remove and rotate all embedded WeCom and MinIO credentials, make external upload opt-in or disable it, use private storage or short-lived links, load secrets from protected user-controlled configuration, label simulated data clearly, and run any scheduled task as a normal user rather than with administrator/highest privileges.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
__import__(pkg)
        except ImportError:
            print(f"📌 正在安装 {pkg} 库...")
            os.system(f"pip install {pkg} -i https://pypi.tuna.tsinghua.edu.cn/simple")
    
    # 执行全流程
    try:
Confidence
95% confidence
Finding
os.system(f"pip install {pkg} -i https://pypi.tuna.tsinghua.edu.cn/simple")

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes capabilities to write files, access the network, and invoke shell-adjacent behavior such as running Python, batch files, and PowerShell task setup, yet no permissions are declared. This creates a transparency and governance gap: users and platforms cannot accurately assess the operational risk before installation or execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior materially conflicts with the reported code behavior: uploading generated HTML to MinIO with public-read access, hardcoding credentials, and presenting simulated/random data as 'latest financial data' are all significant deviations. This is dangerous because it can cause unauthorized data exposure, secret leakage, and user deception about the provenance and reliability of the generated financial content.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The README directs users to create a scheduled task with administrator privileges, to run whether the user is logged in, and with highest privileges. For a reporting-and-notification workflow, that privilege level is broader than necessary and increases the blast radius if the script, its dependencies, or the skill directory are modified or compromised.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The document internally contradicts itself by promising 'latest daily financial data' while later stating that the current implementation uses simulated data. In a finance-related skill, this is more dangerous than a normal documentation issue because users may rely on the output as real market information for teaching, decision support, or distribution to others.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The code hardcodes a corporate messaging token and recipient identifier despite claiming environment-variable configuration. Hardcoded secrets are highly dangerous because anyone with code access can extract and reuse them to send messages, impersonate the service, or pivot into related systems; this skill context makes it worse because the script is explicitly designed to transmit data to external infrastructure.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill uploads generated reports to an external MinIO service and creates a publicly accessible link, exceeding the stated local-save and WeCom push behavior. This is dangerous because it expands data exposure beyond the expected trust boundary; in this context, automatic cloud publication of generated reports materially increases confidentiality risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Automatically running pip install during execution gives the skill unnecessary software installation capability unrelated to its primary reporting function. In an agent environment this is especially risky because it permits unreviewed code retrieval and execution from remote package infrastructure, increasing supply-chain and system-integrity exposure.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code explicitly sets the MinIO bucket policy to public-read for all objects. This is a true exposure vulnerability because any uploaded report becomes broadly accessible over the network, and the skill context makes it more dangerous since reports are distributed automatically and may contain internal or sensitive educational/business content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions tell users to run `SetupTask.ps1` as administrator without providing any security warning or justification for elevation. Running a PowerShell script as admin gives it broad control over the system, so users are being encouraged to trust elevated code execution without enough scrutiny.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README advises storing the enterprise WeCom token in system environment variables but does not warn that this is a sensitive credential. System-level variables may be accessible to other processes or users with sufficient access and can persist longer than intended, increasing the chance of credential disclosure.

Missing User Warnings

High
Confidence
98% confidence
Finding
Suggesting that users hardcode the WeCom token directly into `scripts/generate_and_send.py` materially increases the risk of secret exposure through source files, backups, screen sharing, version control, or accidental distribution. Because the token enables message delivery and may grant access to enterprise communication channels, leakage can lead to unauthorized use and abuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to embed the enterprise WeCom token directly into the script without warning about the credential exposure risk. Hardcoded secrets are easily leaked through source control, backups, screen sharing, local multi-user access, or accidental redistribution of the skill package.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide explicitly instructs users to run the scheduled task with highest privileges and in admin context, but does not explain the security consequences or recommend least-privilege execution. If the referenced Python script, its dependencies, or its working directory are modified, the task would execute attacker-controlled code with elevated privileges on a recurring basis.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The document shows multiple ways to place a sensitive token directly into cron YAML, system environment variables, and especially a batch file in plaintext, without warning about credential exposure. These values can be recovered from config files, process listings, backup systems, task definitions, or readable scripts, allowing unauthorized use of the enterprise WeCom integration and potential message spoofing or data leakage.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends data to external services automatically without explicit confirmation or an upfront warning at the point of execution. In this skill, that behavior is more dangerous because it includes both enterprise messaging and cloud upload, which can leak report contents or metadata outside the local environment without informed user consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal