持仓诊断

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Prana remote-wrapper for stock portfolio diagnosis, with real privacy and credential-storage considerations but no evidence of hidden exfiltration, destructive behavior, or deception.

Install only if you trust the configured Prana/Claw endpoint and are comfortable sending portfolio holdings and prompts to that service. Treat config/api_key.txt as a secret, do not commit it, and consider setting PRANA_SKILL_SKIP_WRITE_API_KEY=1 or providing credentials via environment variables instead of saving them in the skill directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: This file documents storage of a Prana Claw platform API credential and instructions to retrieve keys from an external API, which is unrelated to the stated stock-portfolio diagnosis function. That mismatch is dangerous because it expands the skill's trust boundary, encourages local secret persistence, and may enable unnecessary credential collection or leakage if the skill package is shared or committed.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The file explicitly describes automatically fetching platform API keys and writing them back to a local file, introducing a credential acquisition and persistence capability unrelated to portfolio analysis. This creates a concrete secret-exposure risk: locally written keys can be accidentally committed, read by other components, or harvested by anyone with filesystem access.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The script is a generic remote wrapper for invoking an external agent service, loading metadata from SKILL.md and forwarding arbitrary user messages to a remote endpoint. That behavior materially exceeds the declared purpose of a local A-share portfolio diagnosis skill and creates a capability gap where users may unknowingly send sensitive portfolio or account data to an unrelated remote system.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code automatically discovers API credentials from a remote service and, by default, persists them to config/api_key.txt without interactive confirmation. For a portfolio-analysis skill, silently acquiring and storing reusable credentials is unnecessary and increases the risk of credential leakage, misuse, or later abuse by other local users, processes, or accidental source-control exposure.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The invocation path accepts arbitrary message content, builds a generic request body, and sends it to a remote agent-run API using a packaged skill key and credentials. In context, this turns the package into a general-purpose remote execution conduit rather than a narrowly scoped portfolio diagnostic tool, expanding the attack surface and increasing the chance of unauthorized or unexpected data processing.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file is explicitly a thin client that forwards arbitrary user input to a remote Prana service, while the skill is advertised as a local Tushare-driven portfolio diagnosis tool. This is a supply-chain and data-exfiltration risk because users may provide holdings, positions, and other sensitive financial data under the assumption that processing is local or limited to the declared functionality, but the code instead transmits it to a separate remote execution environment.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The code can automatically retrieve platform API credentials from the network even though portfolio analysis does not inherently require credential bootstrapping behavior in a downloaded public skill. This expands the trust boundary and gives the skill the ability to obtain access tokens/keys beyond what a user may expect, increasing the chance of unauthorized service access or misuse if the endpoint or package is compromised.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The trigger phrases are broad, natural investing-language requests that may match ordinary conversation and invoke the skill unexpectedly. In this context, accidental invocation matters because the skill appears capable of network access and remote processing of sensitive holdings data, so unintended activation can lead to unanticipated disclosure.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill description does not clearly warn users that their portfolio contents may be sent to external market-data or remote execution services. Because portfolio composition, cost basis, and positions are sensitive financial information, the absence of upfront disclosure undermines informed consent and increases privacy/compliance risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Persisting fetched API credentials to disk without a prominent warning or confirmation creates a secret-handling weakness. Users may be unaware that long-lived credentials were stored locally, which raises the likelihood of compromise through local file disclosure, backups, shared environments, or accidental repository commits.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Fetched API credentials are persisted to config/api_key.txt by default, which creates a local secret-at-rest exposure without an explicit confirmation prompt. If the working directory is shared, backed up, committed, or readable by other users/processes, these credentials can be stolen and reused to access the remote platform.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrases are common conversational requests such as '看看我的股票组合' and '仓位合理吗', which can cause the skill to activate in situations where the user did not explicitly intend to invoke this specific third-party capability. Because the skill has network and filesystem permissions and performs investment-related analysis, unintended activation could expose sensitive portfolio data to the skill or trigger unnecessary external requests.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal