ClawHub

Stock Quote

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward stock quote helper, but its default source can return delayed data despite some real-time wording.

Install only if you are comfortable sending ticker symbols to external finance services. Do not rely on the default output for trading, compliance, or valuation decisions without checking the returned source, date, and timestamp; choose an explicit real-time-capable source when freshness matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill advertises real-time stock quotes, but its default automatic path prefers Stooq even though the code comments state Stooq provides delayed end-of-day prices for US stocks. In a finance or pre-trade verification context, stale pricing can mislead users into making trading or valuation decisions on outdated data, creating integrity and decision-risk issues.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module docstring says the CLI fetches real-time stock prices, but the implemented default flow prioritizes a source explicitly documented in-code as delayed end-of-day data. This mismatch is a deceptive behavior/semantic integrity issue because downstream agents or users may trust freshness claims that are untrue in a trading workflow.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The documentation omits a warning that stock symbols and related request metadata are sent to external providers such as Stooq, Yahoo/yfinance, or FMP. While ticker symbols are usually low sensitivity, in portfolio or pre-trade contexts they can reveal investment interests or positions, creating a privacy and data-governance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal