ClawHub

query and monitor stock

Security checks across malware telemetry and agentic risk

Overview

This stock quote skill is not clearly malicious, but it needs Review because it combines quote lookup with persistent watchlists, stored message targets, cached cookies, outbound alerts, and background monitoring.

Install only if you are comfortable with this skill writing local watchlist/config files, storing a notification target, caching quote-service cookies, contacting external services, and running a background monitor that can send alerts later. Review and periodically clear its data files, and require explicit confirmation before starting monitoring or clearing the watchlist.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes Python and shell commands that read/write local files, access the network for quote retrieval, and manage a background monitor process, but it declares no permissions. This creates a transparency and trust problem: a caller or host may treat the skill as low-risk while it can persist data, contact external services, and execute process-control actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description frames the skill as quote lookup and watchlist management, but the behavior also stores a persistent message target, sends outbound alerts, and starts/stops/restarts a long-lived subprocess. That mismatch is dangerous because users and orchestration layers may authorize the skill for simple read-only finance queries without realizing it can alter local state and trigger external messaging and process management.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger description includes broad everyday phrases like asking about prices or monitoring, which can cause the skill to activate in situations the user did not intend. Because this skill is not read-only and can modify persistent watchlists or start monitoring with notifications, overbroad invocation increases the chance of unintended state changes or outbound actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill persists a monitoring target identifier to data/config.json but does not clearly warn the user that this is a durable write of a personal identifier used for future message delivery. Hidden persistence is risky because it can silently retain sensitive routing data and enable later outbound notifications without the user fully understanding that the setting survives future sessions and restarts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The delete and clear operations modify persistent watchlist data in data/watchlist.json without a strong warning or confirmation flow. This is dangerous because ambiguous or accidental invocation can cause irreversible loss of user-maintained data, and in this skill's context those writes also affect what the background monitor will watch and alert on.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code retrieves authentication/session cookies from a third-party site and stores them in a local JSON file without any access controls, encryption, or explicit consent flow. If the local environment is shared or compromised, those cookies could be stolen and reused, and the silent persistence also creates a privacy and security exposure that users may not expect from a stock-quote skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal