ClawHub

stock-monitor-a

Security checks across malware telemetry and agentic risk

Overview

This is a coherent stock-price monitoring skill that fetches public market quotes, stores local alert logs, and can be scheduled for alerts, with no evidence of credential theft, destructive behavior, or unrelated data access.

Before installing, review the configured stock list, thresholds, cron schedule, and xiaoyi delivery_target. Expect local monitoring history and once-per-day alert state files to be created in the skill directory, and clear or disable them manually if you do not want stock-monitoring history retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The description advertises automatic price logging and immediate alert pushing but does not disclose that data will be persisted or that notifications may be sent automatically to an external channel. Even if the stored data is 'just' stock prices, silent persistence and outbound delivery can surprise users, leak monitoring interests or operational metadata, and create compliance/privacy issues.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The sample configuration explicitly enables `alert_pushes_immediately` and `price_log_auto_record`, yet the surrounding documentation provides no safety notice about automatic persistence or external push delivery. Because these behaviors are enabled in the example, operators are likely to copy them into production without understanding the data handling and notification implications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal