stock_analysis_7step

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed remote Prana wrapper for A-share stock analysis, with expected network use and sensitive but documented API-key handling.

Install only if you trust the Prana/Claw service and are comfortable sending stock-analysis prompts to it. Keep config/api_key.txt private, avoid committing it, verify the base URL before use, and set PRANA_SKILL_SKIP_WRITE_API_KEY=1 or provide credentials through environment variables if you do not want the client to write an API key to disk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises a finance-analysis function but exposes code-capable behaviors including environment access, file read/write, and network use without declaring permissions. This creates a transparency and consent failure: users may invoke the skill expecting local analysis while it can access secrets, modify local files, and communicate externally.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented purpose is stock financial analysis, but the observed behavior includes obtaining API keys from a remote endpoint, storing them locally, calling external Prana/Claw services, and polling remote execution results, while no local analysis logic is present. This mismatch is dangerous because it can mislead users into granting trust and credentials to what is effectively a remote-execution wrapper rather than an analysis tool.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The documentation instructs users to query an external purchase-record API and reuse API authentication material unrelated to the stated financial-analysis purpose. This broadens data exposure and conditions users to send sensitive credentials to external systems without a clear functional need, increasing the risk of credential misuse or unintended data disclosure.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill is presented as a local A股 financial-analysis/report-generation tool, but the code is explicitly a thin client that forwards user input to a remote Prana service. This is a material capability mismatch: users may expose proprietary prompts, market research, or sensitive account-linked data to an external backend they were not expecting, which meaningfully increases privacy, integrity, and supply-chain risk.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: This code automatically retrieves API credentials from a remote endpoint and can persist them locally, but that behavior is not reflected in the skill description. Undisclosed credential acquisition and storage expands the attack surface and violates user expectations for a financial-analysis skill, especially on shared systems or developer workstations.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill can source credentials from environment variables, local files, or an automatic network fetch, then store them in config/api_key.txt. For a public financial-analysis skill, that is an unjustified secret-handling capability that increases the chance of credential leakage, misuse on shared hosts, or accidental commit of sensitive keys.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README instructs the thin client to automatically fetch API credentials and persist them to config/api_key.txt on local disk. Storing long-lived secrets in a plaintext project file increases the risk of accidental disclosure through source control, backups, shared workspaces, local malware, or other users on the same system; the danger is amplified because this package is a generic remote-execution wrapper that depends entirely on those credentials.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The client will automatically request API credentials from a remote endpoint and, by default, persist them to config/api_key.txt without an explicit interactive confirmation at the time this occurs. This increases the risk of credential exposure through local filesystem compromise, accidental inclusion in backups or source control, or misuse if the configured base URL is incorrect or attacker-controlled.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code may contact a remote API to fetch credentials and then save them locally without a clear preflight warning or consent prompt. Even if intended for convenience, silent transmission and storage of secrets is risky because users may not realize credentials are being requested from the network or written to disk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal