Back to skill

Security audit

Stock Price Query MX

Security checks across malware telemetry and agentic risk

Overview

This stock quote skill mostly matches its advertised purpose, but its Hong Kong quote path quietly uses local credentials and an undeclared helper skill despite claiming no API key is needed.

Review before installing. A-share and US quote retrieval appear coherent, but Hong Kong quotes may use a local Eastmoney credential and run a separate finance-data helper that is not included or pinned here. Install only if you trust that helper and are comfortable exposing the relevant credential and environment to it; otherwise prefer a version that clearly documents or removes the HK credential path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import subprocess
        env = {**os.environ, 'EM_API_KEY': em_api_key}
        # 分两次查询:先获取最新价,再获取涨跌幅
        result = subprocess.run(
            ['python3', '/root/.openclaw/workspace/skills/mx-finance-data/scripts/get_data.py',
             '--query', f'{code}.HK 最新价'],
            capture_output=True,
Confidence
86% confidence
Finding
result = subprocess.run( ['python3', '/root/.openclaw/workspace/skills/mx-finance-data/scripts/get_data.py', '--query', f'{code}.HK 最新价'], capture_output=T

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 第二次查询:获取涨跌幅
        change_pct = 0
        try:
            result2 = subprocess.run(
                ['python3', '/root/.openclaw/workspace/skills/mx-finance-data/scripts/get_data.py',
                 '--query', f'{code}.HK 涨跌幅'],
                capture_output=True,
Confidence
86% confidence
Finding
result2 = subprocess.run( ['python3', '/root/.openclaw/workspace/skills/mx-finance-data/scripts/get_data.py', '--query', f'{code}.HK 涨跌幅'],

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation instructs the agent to run a local Python script and make live network requests, yet no permissions are declared. This creates a transparency and policy-enforcement gap: a caller or platform may treat the skill as low-privilege while it actually exercises shell, file, environment, and network capabilities.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill claims 'no API key required' and describes a self-contained quote tool, but analysis indicates it reads a local credential file and depends on an external local script for Hong Kong data. Hidden credential access and undeclared cross-skill/local dependencies are dangerous because they expand trust boundaries, can exfiltrate or misuse secrets, and mislead reviewers about the real security posture.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill reads a credential file from a fixed vault path for a user-facing function that appears to be simple stock lookup. Accessing vault credentials implicitly and without user disclosure broadens privilege unnecessarily and creates a path for sensitive secret use in a low-trust, general-purpose skill.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill invokes an external Python script from another skill to fulfill its own functionality. In an agent ecosystem, this cross-skill execution is dangerous because it imports the behavior, privileges, and potential vulnerabilities of a separate component that the user did not explicitly ask to run.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill advertises that no API key is needed, but the Hong Kong quote path quietly depends on EM_API_KEY or a local Eastmoney credential file. This is dangerous because it misrepresents the skill's trust and secret requirements, causing users or orchestrators to grant or expose credentials they would not otherwise expect for a simple quote lookup.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
A stock quote script reads a local credential file from a vault path even though its stated purpose is simple market-data retrieval. Accessing secrets from local storage without clear necessity or disclosure increases the blast radius of compromise and violates least-privilege expectations for a low-risk utility skill.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill expands its capability from quote retrieval to launching an external helper script located elsewhere in the workspace. In agent environments, this matters because executing another script broadens the trust boundary and can expose secrets or introduce unintended behavior if that helper is modified or compromised.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script reads sensitive credential material from a vault-backed file without any user-facing disclosure. In the context of a simple quote-lookup skill, hidden secret consumption is risky because it violates least surprise and may let a broadly accessible utility operate with privileged data sources unbeknownst to the caller.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script reads a sensitive credential file without any user-facing disclosure, warning, or consent flow. In the context of a supposedly no-key stock-query skill, silent secret access is especially problematic because it can surprise deployers and normalize over-privileged secret consumption.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.