Astock Data

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real A-share stock-data tool, but it should be reviewed because it automatically falls back to an embedded shared API token and has inconsistent credential disclosure.

Install only if you are comfortable with a stock-data skill that reads QGDATA_TOKEN, may read ~/.openclaw/.env, and otherwise uses a shared embedded qgdata token. Prefer setting a dedicated personal token, review the provider’s quota and pricing terms, and audit or remove the hardcoded local Python import path before relying on it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill advertises and documents access to environment variables and a local ~/.openclaw/.env file without declaring corresponding permissions. Undeclared access to secrets-bearing sources reduces transparency and can expose credentials or enable unexpected data access paths, especially in an agent ecosystem where users rely on manifest permissions to assess trust.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented purpose is market-data retrieval, but the skill behavior also includes credential discovery from local environment/config files, use of a built-in shared token, and marketing-style upgrade flows on failure conditions. This mismatch is dangerous because users may grant trust for a data-query tool while the skill also handles secrets and embeds commercial redirection behavior that is not prominently disclosed as part of its security-relevant behavior.

Intent-Code Divergence

Medium

Confidence: 78% confidence
Finding: The documentation says a built-in free trial token is automatically used, while the manifest declares QGDATA_TOKEN as required. This inconsistency can mislead users and operators about authentication flow, causing accidental reliance on a hidden shared credential or incorrect security assumptions about whether personal secrets are necessary and when external calls will occur.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script embeds a hard-coded shared API token and uses it automatically when no user token is configured. Hard-coded credentials are dangerous because they can be extracted, abused by third parties, burned by overuse, and create hidden outbound authenticated activity under someone else's account.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: Using a hard-coded fallback API token without strong disclosure means users may unknowingly trigger authenticated outbound requests under a shared credential. This creates account abuse, service misuse, attribution, and revocation risks, and may conceal the true trust boundary of the skill.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal