ClawHub

Update Stock Mcp

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local stock-database MCP tool, with expected file, token, database, and provider-network behavior for that purpose.

Install only if you want this MCP server to manage a local A-share DuckDB database. Keep API_tushare.txt private, do not commit or sync it casually, use a dedicated DB_path, and confirm before running create or update tools because they make persistent local changes and may contact Tushare or Baostock for a long time.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The query tools accept an arbitrary DB_path and open it directly with DuckDB, which lets callers read from any local DuckDB file the agent process can access rather than only the intended stock database. In an agent setting, this broadens the tool from a stock-data service into a generic local database reader and can expose unrelated sensitive local data if another DuckDB file is present on disk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Updb.__init__ prioritizes an external option.json from another application and silently replaces the requested DB path with the external app’s configured database. That can cause reads and writes to target a different local database than the caller intended, enabling unintended access or modification of external application data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The update operation reads a local API credential file and creates that file if absent as a side effect, even when the user did not explicitly ask for file creation or credential persistence. In an agent environment, silent local file creation and credential handling increase the risk of secret exposure, persistence, and surprising filesystem modification.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The tool descriptions imply they operate on the provided or default database, but object initialization may silently redirect to an external application database. This mismatch is security-relevant because users and higher-level agents may authorize a seemingly narrow stock query while the code actually touches a different local data source.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases include generic requests like creating, updating, and fetching stock data, which can cause the skill to activate for broad finance-related conversations rather than only explicit UpdateStock requests. Because the skill performs state-changing operations and can invoke external data-fetch/update flows, overbroad activation increases the risk of unintended tool use, unnecessary network activity, and accidental local file modification.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill asks for a tushare API token and describes update operations that fetch data from tushare and baostock, but it does not clearly warn that user-supplied tokens and request parameters will be transmitted to third-party stock-data services. This omission can lead users to expose credentials or sensitive query activity without informed consent, especially in an agent setting where tool execution may feel local and opaque.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code silently reads and persists a Tushare API credential in a local plaintext file without clear disclosure, which is unsafe secret handling. Plain local secret storage can leak through backups, logs, shared directories, or later unintended file access by other tools or users on the same host.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The easy update path repeats the same unsafe pattern of silently creating and reading a local API credential file. Duplicating the behavior across tool variants increases the chance of unnoticed secret persistence and broadens the number of code paths that can touch credentials unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal