Back to skill

Security audit

Sharesight Skill for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This Sharesight skill is a disclosed finance API tool that uses Sharesight credentials and can modify records only after an explicit write-mode opt-in.

Install only if you intend to connect an agent or CLI to your Sharesight account. Leave SHARESIGHT_ALLOW_WRITES unset for read-only use, enable it only when you need changes, review create/update/delete commands carefully, and clear the cached token when the integration is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill exposes sensitive capabilities including environment variable access, shell execution, network access, and file writing, but does not declare explicit permissions boundaries. In a finance-related skill handling API credentials and portfolio data, this weakens trust and reviewability because the agent could access secrets or perform external actions without a clearly stated security contract.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation includes delete operations for holdings, investments, prices, and coupon rates without prominent warnings that these actions may be irreversible or materially affect financial records. In a portfolio-management context, accidental execution could cause loss of investment data integrity and operational disruption, especially if write mode is enabled.

Credential Access

High
Category
Privilege Escalation
Content
)

    if response.status_code != 200:
        raise ValueError(f"Failed to get access token: {response.status_code} - {response.text}")

    token_data = response.json()
    access_token = token_data["access_token"]
Confidence
89% confidence
Finding
access token

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.