ClawHub

港股+A股盯盘系统

Security checks across malware telemetry and agentic risk

Overview

This stock-monitoring skill broadly matches its purpose, but it ships with embedded external-service credentials and a preset Feishu destination that could send alert data somewhere the installer did not choose.

Install only after reviewing and editing the configuration. Replace the Feishu chat ID with your own or disable messaging, remove and rotate the embedded QVeris key, require your own QVERIS_API_KEY if you use QVeris, validate any custom stock codes, and check cron jobs plus generated data/report directories so monitoring and alerting stop when you expect them to.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation describes executable scripts and configuration that imply access to environment/configuration data, yet no permissions are declared. This creates a transparency and governance gap: users and platforms cannot accurately assess what runtime capabilities the skill needs, which can hide sensitive data access or make review ineffective.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
A description-behavior mismatch is a real security issue here because the documented scope omits materially sensitive behaviors: use of a hardcoded third-party API key, additional alert types, persistent long-term data retention, and system-level outbound fault notifications. When a skill does more than advertised, users cannot give informed consent, and hidden credentials or undisclosed data handling significantly increase the risk of secret leakage, unauthorized transmission, and privacy/compliance problems.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The QVeris integration constructs shell commands by interpolating values such as script paths, API key, and especially stock codes into execSync command strings. Because codesStr is inserted inside a shell command and then into a JSON argument without robust escaping, a crafted stock code could break quoting and trigger command injection, leading to arbitrary command execution.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hardcodes a live-looking QVeris API key as a fallback value in source code, which exposes a credential to anyone with repository or package access. Even though this file does not directly use the key in the shown code path, embedding secrets in a stock-monitoring skill unnecessarily introduces credential abuse risk, including unauthorized API usage, billing impact, and reuse by downstream users or attackers.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly promotes Feishu/Telegram alerting but does not warn that monitored market data, alert content, and configuration identifiers such as chat IDs may be transmitted to external services. This omission is dangerous because it can cause inadvertent disclosure of potentially sensitive trading interests, operational metadata, or identifiers to third-party platforms without clear user awareness.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
A hardcoded fallback API key is embedded in the source, exposing a credential to anyone with code access and potentially to logs, archives, or downstream reuse. This can enable unauthorized use of the paid QVeris service, billing abuse, and loss of control over the associated account.

Missing User Warnings

High
Confidence
98% confidence
Finding
Using a hardcoded API key as a silent fallback means the script will operate with embedded credentials without explicit user awareness or consent. In this skill context, that is especially risky because the monitor's stated purpose is market monitoring, not handling vendor credentials, so the hidden credential path broadens capability and can mask unauthorized third-party service usage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal