ClawHub

openpd

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do the advertised market-report automation, but it needs review because it creates persistent scheduled jobs and stores API credentials in plaintext source/config files.

Install only if you want an ongoing weekday automated market report. Before installing, review the exact cron entries, avoid `crontab -r` unless you intend to remove all scheduled jobs, keep the skill directory private, and prefer environment variables or a locked-down secrets file instead of storing API keys in the Python source files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f.write(new_cron)
        
        # 安装 crontab
        result = subprocess.run(["crontab", temp_file], capture_output=True, text=True)
        
        if result.returncode == 0:
            print("✅ 定时任务安装成功!")
Confidence
86% confidence
Finding
result = subprocess.run(["crontab", temp_file], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
with open(temp_file, "w") as f:
            f.write("\n".join(new_lines))
        
        result = subprocess.run(["crontab", temp_file], capture_output=True, text=True)
        
        if result.returncode == 0:
            print("✅ 定时任务已卸载")
Confidence
86% confidence
Finding
result = subprocess.run(["crontab", temp_file], capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes capabilities that read and write local files, access the network, invoke Python and curl, and modify cron, but it does not declare corresponding permissions. This weakens user consent and review because the actual operational scope is broader than what a minimal install surface would suggest.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose is a narrow daily market-open analysis and Feishu push, but the skill behavior includes broader commodity querying, cron management, local config rewriting, and multi-channel messaging. Such scope expansion is dangerous because users may authorize or install the skill under a narrower trust assumption than its actual capabilities warrant.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The guide instructs users to install cron jobs without explicitly warning that this creates persistent automated execution on the host. Persistent scheduled tasks can continue running unnoticed, increasing the risk of unintended data collection, network access, or abuse if the skill is later modified or compromised.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manual setup tells users to hardcode API keys directly into source files, which risks credential exposure through backups, source sharing, filesystem permissions, screenshots, or accidental commits. In a skill that performs scheduled automation and external API access, embedded secrets materially increase the blast radius if the local environment is compromised.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer stores API keys directly into source/config files in plaintext. If the skill directory is backed up, shared, committed to version control, or readable by other local users, those credentials can be exposed and abused to access third-party APIs or incur charges.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The script persists push target IDs and channel selections into `config.py` without clearly warning the user. While less sensitive than API secrets, these identifiers can reveal personal account, messaging, or destination metadata and may aid targeted abuse if the file is exposed.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The skill automatically dispatches messages through an external CLI without any confirmation, preview gate, or explicit runtime warning. In an agent setting, that creates a quiet outbound-action risk: misconfiguration, bad analysis, or manipulated inputs can result in unintended notifications being sent to real users or channels.

Session Persistence

Medium
Category
Rogue Agent
Content
或手动添加:
```bash
crontab -e

# 添加以下两行(交易日 5:00 收集,5:30 推送)
0 5 * * 1-5 /usr/bin/python3 ~/.openclaw/skills/market-open-analysis/main.py --stage collect
Confidence
93% confidence
Finding
crontab -e

Session Persistence

Medium
Category
Rogue Agent
Content
crontab -l

# 编辑定时任务
crontab -e

# 删除定时任务
crontab -r
Confidence
88% confidence
Finding
crontab -e

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal