ClawHub

Stock Push

Security checks across malware telemetry and agentic risk

Overview

This stock-alert skill mostly does what it says, but it needs review because it installs root-level scheduled jobs and can send portfolio alerts to a hard-coded WeChat recipient unless edited first.

Install only after reviewing the installer and editing all three scripts to use your own WeChat USER_ID and holdings/watchlist. Prefer a user-level scheduler or dedicated non-root account, avoid the remote-download installer unless you verify the package, and know how to remove /etc/cron.d/stock-monitor and /etc/logrotate.d/stock-monitor to stop the scheduled pushes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes capabilities to access the network, write files, and invoke shell commands, but no permissions are declared. That creates a transparency and governance gap: operators or users may authorize or trigger the skill without understanding it can modify the host or reach external services. In this context, the undeclared shell/file/system behavior is especially risky because the same skill also appears to manage cron and logrotate, which are privileged system surfaces.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a substantive behavior mismatch, not a cosmetic documentation issue. The skill claims to provide stock push functionality, but the described implementation also installs itself, writes to /etc/cron.d and /etc/logrotate.d, restarts cron, and hardcodes delivery targets—actions that exceed normal user-facing stock-query behavior and can create persistence and host modification. Because these actions are hidden behind an innocuous finance-oriented description, the mismatch materially increases the chance of unauthorized system changes.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The installer creates system-level persistence by writing to /etc/cron.d and /etc/logrotate.d and restarting cron, which exceeds normal per-user skill setup and gives the skill recurring execution as root. In the context of a stock notification skill, this broad persistence meaningfully increases risk because any later modification of the installed scripts would run automatically with elevated privileges.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The installer performs privileged system-wide modifications under /etc and /root that go beyond a simple user-scoped stock notification setup. This is dangerous because a skill installer with root-level persistence and configuration authority materially expands blast radius if the package is compromised or misused.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The installer downloads a remote package from GitHub and installs it without any integrity verification such as a pinned hash or signature check. This creates a supply-chain risk: if the repository, URL target, or network path is compromised, arbitrary code can be installed in a privileged environment.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The installer creates root-owned cron jobs that execute Python scripts from a workspace path on a recurring basis, establishing privileged persistence. In the context of a stock-push skill, this is more dangerous because the stated function does not inherently require root execution, so any later modification of those scripts could lead to repeated privileged code execution.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger phrases are overly broad, especially generic words like '推送' and '股票'. This can cause the skill to activate during ordinary conversation unrelated to scheduled stock pushes, potentially causing external network access, message sending, or other side effects without clear user intent. In a skill that can send WeChat messages and manage scheduled workflows, accidental invocation is more dangerous than in a read-only informational skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently overwrites privileged cron and logrotate configuration files without confirmation, backup, or dry-run behavior. This is dangerous because it changes system scheduling and log handling globally, and a user invoking a convenience installer may not realize it is making persistent root-owned changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Restarting the cron service without prior warning changes live system state immediately and can disrupt existing scheduled task execution or mask installation problems. While not inherently malicious, doing this automatically as part of a skill installer is an unsafe privileged side effect.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The installer silently writes system cron and logrotate files, modifying system state and persistence mechanisms without a clear upfront warning or confirmation gate. While not an exploit by itself, this is a security-relevant transparency failure that increases the chance of unintended privileged changes on the host.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script automatically sends stock holdings summaries to an external WeChat channel using a hard-coded user identifier, with no consent, confirmation, or privacy notice in the code path. In a skill that triggers on broad terms like '推送' or '股票', this increases the chance of unexpected disclosure of potentially sensitive financial information.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
A hardcoded WeChat recipient ID causes stock/holding information to be sent automatically to a fixed external account, creating a privacy and data-disclosure risk. In an agent skill context, this is more dangerous because it enables unattended exfiltration of potentially sensitive financial information without runtime user confirmation or recipient verification.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This skill automatically transmits stock summaries and watchlist information to an external WeChat endpoint identified by a hard-coded USER_ID, with no consent check, confirmation step, or recipient verification. In an agent-skill context, silent outbound messaging can leak sensitive financial interests or portfolio-monitoring data to an unintended party, especially because the trigger conditions are broad.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal