ClawHub

Fund Analyzer Pro

Security checks across malware telemetry and agentic risk

Overview

This fund-analysis skill is mostly purpose-aligned, but it needs Review because it exposes live-looking API credentials and handles sensitive portfolio data with weak storage and export controls.

Install only if you are comfortable with a finance skill that contacts external fund services, stores cache and holdings data locally, and can produce monitoring alerts. Rotate or replace any bundled API key, use your own secrets through environment variables or a secure secret manager, avoid plaintext holdings export, and review/clear the local OpenClaw data files if you process real portfolio information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (24)

exec() call detected

High
Category
Dangerous Code Execution
Content
# 执行脚本获取命名空间
qieman_ns = {}
with open(scripts_path / "qieman-mcp-query.py", 'r', encoding='utf-8') as f:
    exec(f.read(), qieman_ns)

encrypt_ns = {}
with open(scripts_path / "encrypt-holdings.py", 'r', encoding='utf-8') as f:
Confidence
95% confidence
Finding
exec(f.read(), qieman_ns)

exec() call detected

High
Category
Dangerous Code Execution
Content
encrypt_ns = {}
with open(scripts_path / "encrypt-holdings.py", 'r', encoding='utf-8') as f:
    exec(f.read(), encrypt_ns)

validate_fund_code = qieman_ns['validate_fund_code']
get_cache_key = qieman_ns['get_cache_key']
Confidence
95% confidence
Finding
exec(f.read(), encrypt_ns)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares no permissions, yet the documentation clearly describes capabilities requiring network access, local file read/write, and likely environment/config secret handling. This mismatch weakens review and consent boundaries: operators may approve an analysis skill without realizing it can persist user holdings, manage local files, and contact external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is fund analysis, but the finding indicates materially broader behavior: local persistence of user holdings, encryption key generation/storage, plaintext export and deletion flows, direct HTTP access with an embedded API key, and standalone CLI operations. Hidden or under-disclosed data handling and outbound access increase the chance of privacy breaches, secret exposure, and unauthorized operations beyond what a user would reasonably expect from an analysis skill.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The assessment’s conclusion says all P0/P1/P2 issues are completed and the skill is ready to publish, while earlier sections still list unresolved gaps such as missing validation, persistence protections, and documentation gaps. This kind of internal contradiction can mislead reviewers into approving a skill with incomplete safeguards, creating governance and deployment risk.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document claims the skill is effectively read-only except for cache, but it also discusses encrypting stored user holdings and adding deletion interfaces, which implies persistent retention of potentially sensitive portfolio data. This contradiction can cause operators to under-scope privacy, retention, and access-control requirements for data handling.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The README includes a concrete x-api-key value for the 且慢 MCP service, which appears to be a real credential rather than a placeholder. Publishing service credentials in documentation enables unauthorized API access, abuse of paid resources, and possible access to downstream financial-analysis data or systems.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill expands from on-demand analysis into autonomous monitoring and push-style alerting, which changes its trust and risk profile. Background monitoring can continue processing user-selected funds and transmitting alerts without a clearly bounded interaction, increasing privacy, consent, and misuse concerns.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Feishu push integration introduces outbound messaging to a third-party platform, which can leak fund identities, holdings-related signals, or behavioral metadata if not carefully minimized and consented. In a finance-related skill, external notifications materially increase confidentiality and compliance risk.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The example includes individualized recommendations such as '继续持有', '每月定投 5000 元', and a 1–2 year recovery expectation while simultaneously disclaiming that it is not investment advice. This mismatch is dangerous because downstream agents or users may treat the output as regulated, personalized financial guidance without appropriate suitability checks, licensing, or risk controls.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This file implements persistent local storage of user portfolio holdings, enumeration of all stored users, deletion, and plaintext export features. For a fund-analysis skill, storing sensitive financial positions and enabling broad listing/export functionality increases the privacy and data-exposure surface beyond what is necessary for analysis, especially because there is no access control, consent flow, or scoping to the current user.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The holdings command reads an arbitrary user-supplied local path with open(sys.argv[2], ...), allowing the tool to access any readable JSON file on the host. In an agent environment, this expands the skill from fund analysis into general local file access, which can expose sensitive configuration or user data if an attacker can influence the file path.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The file contains a hardcoded x-api-key used to access a remote MCP service. Embedding live credentials in source code makes accidental disclosure, unauthorized reuse, and abuse of the associated account likely if the repository, package, logs, or skill bundle are exposed.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README encourages users to upload Excel holdings data, which can contain sensitive financial information, but it does not describe privacy handling, retention, redaction, or consent expectations. In a finance context, omission of these safeguards increases the risk of over-collection, accidental disclosure, and mishandling of personally sensitive portfolio data.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The activation rules are broad and ambiguous, so the skill may trigger during ordinary fund-related conversation even when the user did not intend deep analysis or data access. Overbroad invocation increases the chance of unnecessary API calls, unwanted processing of uploaded holdings, or accidental exposure through notifications and persistence features.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation describes automatic monitoring and Feishu reminders but does not clearly warn users that watchlist contents, signal data, or related metadata may be transmitted externally. In a financial context, missing privacy and transmission disclosure undermines informed consent and can expose sensitive investment interests or positions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document shows concrete investment recommendations such as '值得投资吗', '操作建议:持有', and suitability guidance without any visible disclaimer that the output is informational only, may be inaccurate, and is not personalized financial advice. In a fund-analysis skill, this is more dangerous because users are likely to rely on the recommendation as actionable advice and may make real financial decisions based on incomplete or model-generated analysis.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This section provides personalized holding advice based on a user's specific loss amount and fund position, including a direct recommendation to '继续持有 + 适度定投' and discouraging selling, but gives no warning about financial risk, limited suitability assessment, or the possibility the advice may be wrong. This is especially risky in the skill's context because it appears tailored to the user's actual portfolio and losses, which can strongly influence high-stakes financial behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to place an API key in `~/.openclaw/workspace/TOOLS.md`, a plaintext Markdown file, without any warning about file permissions, repository sync, backups, or accidental sharing. Storing secrets in general-purpose documentation files materially increases the chance of credential disclosure through version control, screenshots, support bundles, or local compromise.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The guide explicitly recommends saving the same API key in multiple locations, including environment variables, a workspace Markdown file, and a password manager. Replicating secrets across unnecessary storage locations expands the attack surface and increases the probability of accidental exposure or stale unmanaged credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The export_holdings function writes decrypted holdings to a plaintext JSON file in the user's home directory, which can expose sensitive financial data to other local processes, backups, or accidental sharing. There is no warning, confirmation, secure destination handling, or re-encryption, so a protected dataset is downgraded to cleartext with minimal friction.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The client sends user-supplied fund identifiers and query terms to an external third-party service without any explicit notice or consent mechanism at the call site. In a financial-analysis context, investment interests, searched sectors, and fund codes may be sensitive behavioral data, so undisclosed transmission creates a privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The code persistently stores analysis results under the user's home directory without user awareness or controls. Cached financial analysis inputs and outputs can expose investment interests or derived recommendations to other local users, backups, or forensic recovery if the host is shared or compromised.

Ssd 3

High
Confidence
100% confidence
Finding
The configuration examples expose live-looking credentials in plain text, including a realistic 天天基金 token format and a concrete 且慢 MCP API key. Secret exposure in public documentation is a direct credential leak that can lead to unauthorized service use, billing abuse, and potentially broader compromise if the same credentials are reused elsewhere.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal