ClawHub

Stock Analysis

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill largely matches its purpose, but it asks users to use sensitive X/Twitter session cookies and includes under-scoped personal notification/reporting scripts.

Install only if you are comfortable with a finance skill storing local portfolio/watchlist data and contacting several external market/news/social services. Do not provide X/Twitter AUTH_TOKEN or CT0 unless you understand they are sensitive session credentials; prefer running social scanning disabled. Review or remove the Feishu daily-review scripts before use, especially the hardcoded recipient/workspace paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for category, query in searches:
                try:
                    env = os.environ.copy()
                    result = subprocess.run(
                        [bird_bin, "search", query, "-n", "15", "--json"],
                        capture_output=True, text=True, timeout=30, env=env
                    )
Confidence
93% confidence
Finding
result = subprocess.run( [bird_bin, "search", query, "-n", "15", "--json"], capture_output=True, text=True, timeout=30, env=env

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises executable behavior involving shell, network access, environment use, and local file read/write, yet does not declare permissions. That creates a trust and sandboxing gap: users and platforms cannot accurately assess or constrain what the skill can do before installation, increasing the risk of unintended data access, network exfiltration, or filesystem modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
This is a serious description-to-behavior mismatch: the skill claims to provide Yahoo Finance-based stock analysis, but static analysis indicates broader hidden functionality including unrelated market sources, local file operations, hardcoded portfolio tracking, report generation, and Feishu notification preparation tied to a specific recipient. Hidden or undeclared behavior is dangerous because it can conceal data collection, targeted monitoring, or exfiltration workflows that users did not consent to and would not expect from the published description.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script writes generated reports and staged notification payloads into the local workspace, which introduces side effects beyond pure stock analysis. In an agent environment, unattended file creation can expose portfolio information to other tools or users with workspace access and can enable unintended persistence of sensitive financial summaries.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script contains hard-coded Feishu delivery behavior, including a specific recipient identifier, which creates a fixed outbound notification path not justified by the analysis-only skill purpose. Hard-coded destinations are risky because they can silently direct sensitive portfolio summaries to an unintended or unauthorized party if the script is run in a real environment.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The module loads a project-level `.env` into process environment and later uses external tooling for Twitter/X access, which means locally stored secrets may be consumed by a subprocess without clear need for the core stock-analysis function. In an agent skill, broad secret loading increases exposure because any later feature can unintentionally inherit or exfiltrate those credentials.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This function adds host-execution capability by invoking a local CLI to collect Twitter/X data, which is a materially broader capability than ordinary financial data retrieval. In a skill context, that increases attack surface because the runtime now depends on local binaries, local auth state, and subprocess behavior that may not be visible to users.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The roadmap explicitly plans product analytics and error tracking but does not pair that collection with any user-facing consent, notice, or opt-out design beyond a generic future privacy policy mention. In a consumer finance app, telemetry can reveal sensitive behavioral and portfolio-related usage patterns, creating privacy and compliance risk if collected without transparent disclosure and appropriate consent where required.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to extract Twitter/X session cookies (AUTH_TOKEN and CT0) from browser DevTools and store them in a local .env file. Session cookies are highly sensitive credentials; encouraging manual extraction and reuse outside the browser increases the risk of account takeover, token leakage via logs/files, and possible violation of platform security expectations if mishandled.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill instructs users to place Twitter/X authentication material in a local .env file without any warning about secret handling, account risk, or privacy implications. Even if this is a common setup pattern, omitting safeguards increases the chance that users will expose tokens in plaintext, commit them to version control, or grant the skill broader account access than they realize.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to extract and store live Twitter/X session credentials (`auth_token` and `ct0`) via browser cookies and place them in a local `.env` or environment variables, but it does not warn that these are highly sensitive session tokens equivalent to account access. In an agent/automation context, this is dangerous because users may expose tokens through logs, shell history, shared repos, or misconfigured environments, enabling unauthorized access to the linked X account.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The script performs automatic Google News RSS queries during analysis without prominent user-facing disclosure at the point of execution. In an agent-skill context, implicit outbound requests matter because users may expect only Yahoo Finance access and may not realize their analysis action triggers additional network activity to third parties.

Missing User Warnings

Low
Confidence
80% confidence
Finding
SEC EDGAR access sets a fixed identity string (`stock-analysis@clawd.bot`) without informing the user or allowing operator configuration. In an agent environment, hidden outbound identity attribution can misrepresent who is making requests and reduces transparency and auditability for external service usage.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends user portfolio-derived stock symbols to an external Tencent market data endpoint over plain HTTP, revealing trading interests and enabling network interception or tampering. Even though only symbols are transmitted, holdings-associated lookups can disclose sensitive investment behavior when correlated with generated profit summaries.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script loads every key from a local .env file directly into process environment variables and later passes the full environment to an external CLI. That can expose unrelated secrets to child processes unnecessarily, expanding the blast radius if the external tool is compromised, logs its environment, or behaves unexpectedly.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This helper makes outbound requests to Google News and fetches remote content without any user disclosure, consent flow, or network restriction. In an agent skill context, silent external requests can leak operational metadata such as search interests, timing, and IP address, and they increase exposure to untrusted remote content.

External Transmission

Medium
Category
Data Exfiltration
Content
print("4️⃣ 网易财经...")
try:
    market_code = '0' if symbol.startswith('6') else '1'
    url = f"http://api.money.126.net/data/feed/{market_code}{symbol},money.api"
    print(f"   URL: {url}")
    start = time.time()
    response = requests.get(url, timeout=5)
Confidence
95% confidence
Finding
http://api.money.126.net/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal