ClawHub

WSB 热股日报

Security checks across malware telemetry and agentic risk

Overview

This skill coherently fetches public WallStreetBets stock-trend data and posts a scheduled digest to a Discord channel the user configures.

Before installing, review the two scripts, set the Discord channel ID and OpenClaw path yourself, and run a manual test before enabling cron. Prefer a least-privilege user instead of root, confirm the cron entry points to the reviewed local copy, and remove the crontab line if you no longer want automatic Discord posts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The documentation describes network-facing behavior but does not declare the corresponding permissions, which weakens reviewability and informed consent. In a skill that fetches external market data and pushes messages to Discord, undeclared network capability can hide data flow and make misuse or overreach harder for users to assess.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script automatically sends generated content to a Discord channel via `openclaw message send` without any interactive confirmation, dry-run mode, or prominent user-facing disclosure at execution time. While outbound messaging is the stated purpose of this skill, automatic exfiltration of generated content to an external service can still create security and privacy risk if the digest unexpectedly contains sensitive data, manipulated content, or is run in the wrong environment/channel.

Session Persistence

Medium
Category
Rogue Agent
Content
### 4. 设置定时任务

```bash
crontab -e

# 添加以下行(每天北京时间 9:00 和 21:00 推送)
0 9,21 * * * /root/.openclaw/workspace/skills/wsb-digest/scripts/wsb-digest-trigger.sh
Confidence
88% confidence
Finding
crontab -e

Session Persistence

Medium
Category
Rogue Agent
Content
编辑 crontab:
```bash
crontab -e
```

Cron 格式说明:
Confidence
86% confidence
Finding
crontab -e

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal