ClawHub

Cofco Futures Skill

Security checks across malware telemetry and agentic risk

Overview

This financial-services skill is not clearly malicious, but it asks for sensitive account details and can perform trading-like actions without enough scoping or safety disclosure.

Review this skill carefully before installing. It may be acceptable only in a controlled simulation or trusted financial-services environment with explicit user confirmation for every order, secure authentication outside chat, clear privacy terms for name and phone collection, and narrowed triggers for sensitive workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation says this skill is for trading-calendar queries, but the body actually instructs the agent to query delivery/trading content data. This mismatch can cause the wrong skill to be invoked, confuse users about what data is being accessed, and lead to unintended tool calls against a different data domain than advertised.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill states that both date and variety are mandatory before calling the tool, but the single-day example invokes `query_delivery_memo` without `variety_id`. This inconsistency can cause the agent to issue broader-than-intended queries, return unrelated records, or bypass the skill's own input-validation rules, which is a real security/privacy and correctness risk when querying business data.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill explicitly asks the user to provide account information and then proceeds into a login flow, expanding behavior from simulated trading operations into credential collection. In an agent context, requesting credentials directly from users is dangerous because the model may handle, retain, log, or retransmit secrets in ways the user does not expect.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill includes account registration guidance and an external signup link even though the file is framed as a simulated-trading interaction skill. This scope expansion increases phishing and trust-boundary risk because the agent is guiding users to an off-platform account workflow not clearly declared in the skill purpose.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The manifest description advertises informational and consultation features but omits that the skill can collect customer lead data via the collect_customer_info tool. This mismatch can mislead users, reviewers, or host platforms about the true data-handling behavior, reducing informed consent and making unexpected PII collection more likely.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The futures-trading trigger list includes extremely broad terms such as buy/sell/open/close and generic query phrases, which can cause the agent to enter a trading workflow on ambiguous user input. In a financial skill, misrouting ordinary conversation into order-related actions materially increases the risk of unintended simulated trades, disclosure of account data, or unsafe follow-up prompts for trading parameters.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The lead-collection/callback trigger is mapped to very broad keywords like 'contact me', 'phone', and 'appointment' without requiring account-opening or service context. This can cause unnecessary collection of personal information in unrelated conversations, creating privacy and consent risks even though the document mentions a consent requirement elsewhere.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The trigger condition activates on any request containing the word "交易", which is extremely broad in a financial assistant. An attacker or ordinary user could easily cause inappropriate activation for unrelated requests such as trading advice, account actions, or other market workflows, leading to confused delegation or incorrect tool usage.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The invocation description does not clearly distinguish futures-delivery queries from other trading-related requests. In a skill set that also includes account opening, simulated trading, and other futures operations, this ambiguity increases the risk that the agent routes a request to the wrong capability or misinterprets the user's intent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger definition includes any delivery-related request containing the keyword '备忘录', which is broad enough to activate this skill for ambiguous or unintended user inputs. Overbroad activation can lead to the wrong tool being selected, unnecessary data access attempts, and leakage of query context into a workflow the user did not actually request.

Missing User Warnings

High
Confidence
97% confidence
Finding
The prompt asks users to directly provide account information while only asserting that the information will be kept confidential, which is not a real security control. In a conversational agent, this can cause users to reveal login secrets into chat transcripts, telemetry, or downstream tools, creating immediate credential-compromise risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill supports order placement and cancellation for trading actions but does not require a clear risk disclosure or explicit confirmation checkpoint before executing financially meaningful commands. Even in a simulated environment, this normalizes unsafe agent behavior and could lead to unauthorized or accidental trade actions if reused or adapted for real trading contexts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section documents live-like trading actions such as order placement, cancellation, and account/position queries without any explicit warning that these operations can materially change account state, create positions, or expose sensitive financial information. In a futures-trading skill, omission of clear risk and confirmation guidance makes accidental or unsafe use more likely, especially if another agent or UI consumes the docs programmatically and exposes these actions to users without adequate safeguards.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The authentication flow uses a plaintext WebSocket endpoint (ws://) while transmitting credentials encrypted only by a server-provided public key obtained over that same unauthenticated channel. Without transport security or trust validation, a man-in-the-middle could replace the public key, intercept credentials, or observe sensitive session and account data; the docs also omit privacy warnings around subsequent exposure of account identifiers and balances.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill defines a tool that collects name and phone number, but the manifest does not provide a clear privacy notice about storage, transmission, recipient, retention, or user consent flow. In a financial-services context, unexpected handling of personal contact data is more sensitive because users may assume an official assistant is safe and provide PII without understanding where it goes.

Ssd 3

High
Confidence
98% confidence
Finding
The skill instructs the agent to solicit, record, and use user-provided account credentials as part of the workflow. This is a direct secret-handling anti-pattern: agents should not collect or retain raw credentials because they may be exposed through memory, logs, prompt injection, debugging output, or tool misuse.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal