ClawHub

Vnstock Free Expert

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Vietnam stock-analysis skill, but it exposes broader execution and provider-bypass guidance than its free-tier analysis framing makes clear.

Install only if you are comfortable with a skill that can run local Python scripts, contact financial data providers, read an optional VNSTOCK_API_KEY, and write result files. Keep use to the fixed valuation pipeline where possible, avoid untrusted module/class/method values in invoke_vnstock.py, do not use rotating proxies to bypass provider blocking, and treat DNSE or other brokerage-related material as out of scope unless you have explicit controls for real-money trading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if not hasattr(mod, args.class_name):
        raise AttributeError(f"Class not found in module {args.module}: {args.class_name}")

    cls = getattr(mod, args.class_name)
    client = cls(**init_kwargs)

    if not hasattr(client, args.method):
Confidence
96% confidence
Finding
cls = getattr(mod, args.class_name)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if not hasattr(client, args.method):
        raise AttributeError(f"Method not found on {args.class_name}: {args.method}")

    method = getattr(client, args.method)

    limiter = RateLimiter(min_interval_sec=args.min_interval_sec)
    limiter.wait()
Confidence
97% confidence
Finding
method = getattr(client, args.method)

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The documentation exposes proxy-related features, including rotation modes, in a skill whose stated purpose is free-tier-safe stock analysis with strict rate-limit control. Even if presented as configuration options, this broadens the operational scope toward evading upstream access controls and normal usage limits.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This section explicitly recommends proxy rotation and similar modes to avoid IP blocking, which is effectively guidance for circumventing provider-imposed access restrictions. In the context of a 'free-tier-safe' workflow, this is especially dangerous because it encourages scaling or persistence beyond intended limits and can facilitate abuse of third-party services.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The skill claims strict rate-limit control, yet this section advises rotating proxies as a practical workaround for blocked access. That contradiction makes the guidance more dangerous because users may rely on the skill's safety framing while being steered toward evasive behavior that bypasses service protections.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
Describing proxy support as an advantage specifically for 'bypassing IP blocking' normalizes control evasion as a feature benefit. In a stock-analysis skill marketed as safe and rate-limited, that framing increases the likelihood of misuse and undermines the stated operational constraints.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The troubleshooting section tells users to resolve 403/IP blocking by using rotating proxies, which directly instructs them to work around access enforcement by the upstream service. This is actionable bypass guidance and is incompatible with the skill's safe, low-rate intent.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The document introduces DNSE trading-order API capability inside a skill described as free-tier-safe stock analysis. That broadens the operational scope from passive analysis to potentially account-impacting brokerage actions, increasing the risk that an agent or user repurposes the skill for live trading without appropriate safeguards.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The multi-source examples encourage use of external connectors beyond the stated Vietnam free-tier-safe scope, including global-market FMP and paid DNSE. This scope drift can cause the agent to access unintended providers, use paid services, or interact with riskier integrations than users expect from the skill description.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
The architecture and provider list explicitly include DNSE as an order-placement API even though the skill is framed as stock analysis. In agent settings, documenting transactional capabilities that exceed declared purpose is dangerous because it normalizes higher-risk actions and may lead downstream tooling or operators to treat trading as an intended use case.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The encrypted storage example is cryptographically unsafe: it derives a Fernet key by padding/truncating a user password, rather than using a proper Fernet key or password-based key derivation function. This can mislead users into storing sensitive API keys with weak protection, creating a false sense of security and increasing the chance of secret compromise on a local system.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
There is a clear mismatch between the manifest's claimed constrained vnstock workflow and the implementation, which accepts arbitrary module, class, and method inputs. This is dangerous because it grants a broader execution surface than users, reviewers, or policy controls would infer from the skill description, making abuse and privilege creep more likely.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Dynamic import plus arbitrary class and method dispatch effectively provides a general plugin-style execution primitive. Even without explicit eval/exec, this broadens the skill into a generic runner whose reachable behavior depends on installed modules and object methods, which is unjustified by the stated business purpose and materially increases attack surface.

Vague Triggers

Low
Confidence
79% confidence
Finding
The short description is broad enough to match general stock-analysis requests, which can cause the agent router to invoke this skill outside its intended 'free-tier-safe Vietnam stock' niche. While not directly enabling code execution or data exfiltration, over-broad routing can lead to unintended tool use, incorrect assumptions about market scope, or unnecessary external API activity.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly instructs users to place multiple live API keys and a Binance API secret in a .env file, but it does not pair that guidance with an immediate, explicit warning about secret handling, least privilege, rotation, or avoiding disclosure. While .env use is common, omitting clear secret-safety guidance in installation docs increases the chance users will mishandle credentials, especially when the same document also demonstrates project structures and example files.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The proxy-usage section discusses routing traffic through external proxies without warning users that those intermediaries may log, inspect, or tamper with requests and responses. Even if the data is financial rather than highly sensitive, this creates avoidable confidentiality, integrity, and trust risks.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The recommended proxy configuration gives implementation guidance without disclosing the security and privacy implications of sending traffic through proxy infrastructure. Users may mistakenly assume the setup is safe by default and expose query patterns or received data to untrusted intermediaries.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The troubleshooting advice encourages use of external proxies to bypass blocking but omits any caution about data exposure and manipulation by those proxies. Because it is framed as a fix for common errors, users are especially likely to adopt it without understanding the risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The DNSE section describes trading-order API capability without prominent warnings about real-money trading, account changes, or the need for explicit user authorization. In an agent skill, omission of such warnings raises the chance of unsafe operational use and misunderstanding about whether examples are purely informational or capable of causing external effects.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal