ClawHub

getmeastock

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed remote stock-analysis wrapper that sends requests to Prana/Claw and may store its own API credentials locally.

Install only if you are comfortable with a remote Prana/Claw service processing your stock-analysis prompts. Use service-specific credentials, do not put unrelated secrets in messages, keep config/api_key.txt private, set PRANA_SKILL_SKIP_WRITE_API_KEY=1 if you do not want keys saved to disk, and prefer the Python runner unless you need the Node path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation declares no permissions, yet the associated capability profile indicates access to environment variables, file read/write, and network. That mismatch prevents informed consent and hides the real trust boundary: a stock-analysis skill can access credentials, persist data locally, and communicate externally. In this context, undeclared capabilities are especially risky because the skill also appears to interact with remote services and local credential files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The described purpose is A-share stock analysis, but the observed behavior includes retrieving API keys from a remote endpoint, storing credentials locally, parsing skill metadata to select remote skills, and invoking arbitrary remote agent execution endpoints. This is a material capability expansion beyond stock analysis and can enable credential harvesting, unauthorized remote action execution, and abuse of the host as a proxy for other skills or services. The mismatch makes the skill context more dangerous because users are likely to trust it with financial-analysis queries while it performs hidden orchestration and secret handling.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file documents storing Prana Claw API credentials inside the skill package and includes operational guidance for how to retrieve and persist them locally. That behavior is unrelated to the stated stock-analysis purpose, so it expands the skill’s trust boundary and creates a risk of credential exposure, accidental publication, or misuse if the package is shared or inspected.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The file explicitly describes auto-fetching platform API keys from an endpoint and writing them back to disk, which introduces credential collection and persistence capability not justified by a stock-analysis tool. If abused or misconfigured, this can lead to secret harvesting, long-term credential exposure in local files, logs, backups, or version control, and unauthorized access to the platform account.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The package is marketed as a stock-analysis skill, but the code is a thin wrapper that forwards arbitrary user input to a remote service for execution. This creates a substantial trust-boundary problem: users may believe they are running local packaged functionality while instead sending prompts and potentially sensitive data to an external backend they cannot inspect or constrain.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The client automatically requests API credentials from a remote endpoint and, by default, persists them to config/api_key.txt on disk. For a public stock-analysis skill, silent credential acquisition and storage is over-privileged and increases the chance of credential leakage through local compromise, accidental repository commits, or reuse by other processes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs the client to automatically fetch API credentials and persist them to `config/api_key.txt`, which creates a local secret-at-rest by default. Even though the document later says not to commit the file, the setup flow does not prominently warn users before persistence, increasing the chance of credential leakage through source control, shared workspaces, backups, or permissive filesystem access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal