Security audit

market-beats

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Prana remote-service wrapper for market-news results, with credential storage and raw response handling that users should understand before installing.

Install only if you trust the Prana endpoint and are comfortable sending prompts and Prana credentials to it. Use a dedicated key, do not commit `config/api_key.txt`, and set `PRANA_SKILL_SKIP_WRITE_API_KEY=1` or provide credentials through environment variables if you do not want plaintext key storage.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (16)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation exposes capabilities implying environment access, file read/write, and network use, but declares no permissions or trust boundaries. This is dangerous because integrators and users cannot accurately assess what the skill will access, increasing the risk of unintended secret exposure, local file access, or network exfiltration through an apparently simple news skill.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The stated purpose is a real-time financial news crawler and viewer, but the documented behavior includes remote backend job execution, result polling, and API credential discovery/storage. That mismatch is dangerous because it can mislead users into authorizing a broader, more privileged workflow than expected, including handing credentials to a remote service and enabling data flow outside the advertised functionality.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The README and package metadata describe a real-time finance news skill, but the actual documentation shows this is a generic remote Prana thin client that manages API keys and invokes a hidden server-side skill. That mismatch is dangerous because users and agent platforms may grant trust, permissions, or deployment approval based on a false understanding of the package’s function, enabling deceptive remote execution and credential handling under an unrelated cover story.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill claims real-time crawling and WebSocket push, but the README describes HTTP-based remote execution with delayed polling via agent-result. This discrepancy can mislead operators about data flow, latency, trust boundaries, and runtime behavior, making security review and user consent materially weaker because the package does not behave as advertised.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The package includes logic and documented workflow for obtaining API keys and persisting them locally, even though the advertised purpose is merely monitoring finance news. Unnecessary credential acquisition and storage expand the attack surface: a user may unknowingly authorize remote service access and leave reusable secrets on disk for later theft or misuse.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The file for a market-news skill documents storage and retrieval of unrelated Prana Claw API credentials, including an automatic fetch path and write-back behavior. This mismatch is dangerous because it suggests hidden cross-service coupling or credential collection behavior that is not necessary for the declared functionality, increasing the risk of secret exposure, unauthorized account creation, or abuse of external services.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The inline documentation explicitly states that the file stores Prana Claw API credentials, which contradicts the advertised identity of the skill as a financial news scraper/display tool. Such inconsistency is a security red flag because users may provide or retain sensitive keys they do not understand, and reviewers cannot reliably determine what external systems the skill will contact.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The client can automatically fetch API credentials over the network and then persist them to config/api_key.txt, creating a sensitive-secret exposure path on disk. In a skill advertised as real-time financial news monitoring, this credential acquisition/storage behavior is unrelated to core functionality and increases risk of secret leakage through filesystem access, backups, logs, packaging, or accidental repository commits.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill metadata advertises local real-time financial news crawling/display, but this file is actually a generic remote execution proxy that forwards user input to a Prana/Claw backend-selected skill. That mismatch is dangerous because users may grant trust, network access, or credentials under false assumptions, while the real behavior depends on opaque remote server-side logic outside the packaged skill.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script can automatically fetch API credentials from a remote endpoint and persist them to config/api_key.txt on disk, which expands its privilege and persistence model beyond a simple news-display skill. Persisting secrets locally increases the risk of credential leakage through filesystem exposure, packaging mistakes, backups, or accidental repository commits.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README states that API credentials will be automatically written to config/api_key.txt after retrieval, but the warning about security implications is not presented prominently at the point of use. This is dangerous because users may run the client and persist sensitive secrets in a predictable local path without understanding exposure risks such as accidental commit, local compromise, or multi-user access.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README instructs integrators and channels to fetch API keys and write them to api_key.txt, but does not prominently emphasize secure secret-handling practices at that step. In a multi-platform agent ecosystem, this can normalize unsafe credential persistence and propagation, increasing the chance of leakage through logs, workspaces, container layers, backups, or source control.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The markdown instructs operators to send an API key and secret together in a header, but provides no warning about secret handling, storage, redaction, or transmission risks. In practice, such credentials are often logged by clients, proxies, or support tooling, which can lead to credential leakage and unauthorized access to the associated API account.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The file states that a thin client will automatically request API keys and write them back locally when no credential exists, but it does not clearly define when this happens, what host is contacted, or what user authorization is required. Underspecified secret-fetching behavior is dangerous because it can lead to silent network access, unintended credential generation, and persistent storage of secrets on disk without informed consent.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Credentials obtained from the network are written directly to disk without an interactive warning or confirmation at the write site, which can silently create a plaintext secret file in the skill directory. That behavior materially raises the chance of credential compromise via local users, malware, backups, container layers, artifact collection, or accidental source-control inclusion.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The instruction to pass `/api/claw/agent-run` and `/api/claw/agent-result` responses directly to end users without filtering or redaction creates a direct data-exposure path. If those backend responses include internal metadata, errors, identifiers, tokens, prompts, or other sensitive fields, the client will leak them verbatim to users, and the skill context makes this more dangerous because it explicitly mandates bypassing normal sanitization.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal