Finance News Litiao

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent finance briefing tool, but its automated cron scripts can send portfolio and alert information to a hard-coded WhatsApp recipient if installed or run unchanged.

Review and edit the cron scripts before installing or scheduling this skill. Remove the hard-coded FINANCE_NEWS_TARGET value, set your own delivery target explicitly, and avoid enabling no-approval cron workflows until you are comfortable sending portfolio, alert, and earnings content to the configured channel. Treat debug/raw JSON outputs, portfolio files, and API keys as sensitive financial data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (42)

Tainted flow: 'OPENBB_BINARY' from os.environ.get (line 42, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: results = [] for symbol in symbols[:10]: # Limit to 10 symbols try: result = subprocess.run( [OPENBB_BINARY, symbol, '--earnings'], capture_output=True, text=True,
Confidence: 91% confidence
Finding: result = subprocess.run( [OPENBB_BINARY, symbol, '--earnings'], capture_output=True, text=True, timeout=30 )

Tainted flow: 'OPENBB_BINARY' from os.environ.get (line 42, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: results = [] for symbol in symbols[:10]: # Limit to 10 symbols try: result = subprocess.run( [OPENBB_BINARY, symbol, '--rating'], capture_output=True, text=True,
Confidence: 91% confidence
Finding: result = subprocess.run( [OPENBB_BINARY, symbol, '--rating'], capture_output=True, text=True, timeout=30 )

Tainted flow: 'SSL_CONTEXT' from os.environ.get (line 93, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: try: req = urllib.request.Request(url, headers={'User-Agent': 'OpenClaw/1.0'}) with urllib.request.urlopen(req, timeout=timeout, context=SSL_CONTEXT) as response: return response.read() except urllib.error.URLError as e: last_error = e
Confidence: 95% confidence
Finding: with urllib.request.urlopen(req, timeout=timeout, context=SSL_CONTEXT) as response:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documents capabilities to read and write local files, access environment/configuration, invoke shell commands, and use networked services, yet it declares no permissions. This creates a transparency and consent failure: an agent or user may invoke what appears to be a simple news skill without realizing it can modify portfolio files, configure cron jobs, call external CLIs, and transmit data externally.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The declared purpose emphasizes market news briefings, but the documented behavior extends into portfolio CRUD, alert persistence, earnings workflows, cron automation, delivery channel setup, and broader integrations. This mismatch is dangerous because trust and routing decisions may be made on the narrow description while the skill actually has materially broader access and side effects, increasing the chance of unintended file changes, scheduled execution, and external data disclosure.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The file implements persistent alert CRUD and checking logic backed by a local JSON store, which materially exceeds the declared scope of a finance news briefing skill. This scope drift is dangerous because it introduces unauthorized stateful portfolio/alert management behavior and external market-data access that users and reviewers would not expect from a news-summary skill.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The code supports mutable administration of alerts including set, update, delete, snooze, and trigger tracking, despite the skill being presented as a news briefing tool. In context, this creates an integrity risk because an apparently read-oriented skill can alter persisted user monitoring state and influence downstream financial workflows or notifications.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The module invokes an external executable via subprocess using a path taken from the environment or PATH. Even though shell injection is not present because arguments are passed as a list, this still grants the skill arbitrary local code-execution capability through a user-controlled binary path, which exceeds what is needed for a market-news briefing skill and increases supply-chain and privilege-boundary risk.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The file implements full portfolio/watchlist CRUD, CSV import, and interactive stateful data management even though the skill is described as a finance news briefing tool. This scope expansion creates unnecessary data-handling and mutation capabilities that increase attack surface and can enable unauthorized persistence or manipulation of user financial preference data beyond the declared purpose.

Context-Inappropriate Capability

Low

Confidence: 84% confidence
Finding: The interactive portfolio creation flow accepts arbitrary user input and persists it to the portfolio store despite not being necessary for a news-briefing function. While not directly code-executing, this interactive state creation increases the chance of unintended data storage, misuse, and hidden capability expansion in an otherwise informational skill.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: This file implements persistent portfolio and watchlist state management, including loading, saving, adding, moving, removing, and alert-setting operations against a local JSON database. That materially exceeds the declared purpose of a finance-news briefing skill, and in an agent setting it creates unauthorized data modification capability that could alter or destroy a user's financial tracking data without clear user expectation or scope.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The code exposes direct holdings/watchlist CRUD and alert mutation operations through functions and CLI handlers, enabling creation, update, movement, and deletion of investment-tracking records. In the context of a news/briefing skill, these capabilities are unjustified and increase the risk of unauthorized or accidental portfolio-state changes, especially because they persist immediately to disk.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The debug logger writes raw market, headline, and portfolio data to local cache files, which can persist potentially sensitive portfolio holdings and related activity beyond the immediate response lifecycle. In shared environments or systems with weak file protections, these artifacts can be read later by other users, processes, or support tooling, creating unintended data exposure.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The JSON output includes the full raw market and portfolio datasets, not just the summarized briefing. This broadens data exposure to downstream callers, logs, and integrators that may only expect a summary, increasing the chance that portfolio holdings or other sensitive details are unnecessarily propagated or stored.

Context-Inappropriate Capability

Medium

Confidence: 74% confidence
Finding: Adding subprocess-based execution to a news/earnings skill increases attack surface and creates a path for local code execution through external tooling. In this file that concern is amplified because the binary path may be sourced from an environment variable, making the extra capability more dangerous than normal feature creep.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The skill is presented as a finance-news briefing tool, but it expands its execution surface by invoking external binaries selected from PATH or an environment variable. That creates a trust boundary problem: a malicious or trojaned openbb-quote or other helper on PATH can execute arbitrary code under the skill's privileges.

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: Falling back to generic web search materially broadens data acquisition beyond the declared RSS/market briefing scope. This can leak user interests or portfolio symbols to an external search tool/provider and introduces less predictable content and helper-binary trust risks than the manifest suggests.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The module sends aggregated market and portfolio content to an external Gemini CLI for analysis, introducing a data-exfiltration/trust-boundary risk that is not obvious from the skill description. In a finance context, portfolio symbols and related news can reveal sensitive investment interests, so handing this to an external tool without explicit disclosure or consent is dangerous.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This file implements a persistent local portfolio/watchlist database with create, update, move, and delete behavior, which exceeds the declared skill purpose of finance news briefings and summaries. In an agent context, undeclared stateful financial data management is risky because it can collect or alter sensitive user portfolio information without clear user expectation, authorization boundaries, or manifest disclosure.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The functions add_to_watchlist, add_to_holdings, move_to_holdings, and remove_stock allow direct modification of a user's portfolio-related data even though the skill is described as a news briefing tool. This mismatch increases the chance of unauthorized or unintended financial record changes, especially if another component invokes these functions under the assumption that the skill is read-only or informational.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The CLI exposes commands for listing, adding, moving, removing, and setting alerts on holdings/watchlist entries, which are unrelated to the manifest's stated market-news use case. Exposing these commands broadens the attack surface and enables local operators or integrated automation to perform undeclared state-changing actions on financial data.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Debug mode writes detailed raw market, headline, and portfolio data to local disk under a cache directory, creating unnecessary data retention outside the user-facing briefing flow. If the host is shared, backed up, or compromised, these logs can expose sensitive portfolio holdings and activity history beyond what users expect from a news-summary skill.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The README documents Telegram as a supported delivery channel, expanding message-delivery capabilities beyond what the skill metadata describes. This mismatch can undermine review and allow operators or downstream systems to use an unadvertised outbound channel, which is a security-relevant scope expansion for a messaging-enabled skill.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The auto-invocation examples are broad natural-language triggers like 'What's the market doing?' and 'Generate morning briefing,' which can overlap with ordinary conversation. In an agent environment, this can cause the skill to run unexpectedly, leading to network calls, use of portfolio data, or even downstream delivery/scheduling actions when the user may have only been asking a general question.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation promotes WhatsApp delivery and scheduled briefings but does not prominently warn that portfolio holdings, ticker interests, and generated summaries may be transmitted to external services or recipients automatically. This creates a privacy and confidentiality risk, especially because financial watchlists and briefing content can reveal investment positions, interests, and routines.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal