ClawHub
Back to skill

Security audit

12 量化交易V2.2完整版

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it needs review because its trading alerts can send sensitive financial signals to external services with weak scoping and warnings.

Install only after reviewing and disabling every notification channel you do not explicitly need. Do not place real SMTP, webhook, Telegram, or AI API credentials in config until you understand exactly what messages or files may leave your machine. Treat all outputs as research signals rather than investment advice, and validate with backtesting or paper trading before using real capital.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises networked behavior and local file/config usage, but `requires: []` declares no permissions. This creates a transparency and governance gap: a host may allow the skill under the assumption that it has no sensitive capabilities, while it can still read local files/configuration and communicate externally. In this context, the documented SMTP and multi-channel notification features make the undeclared network capability especially relevant because they can transmit trading data, configuration-derived secrets, or user-triggered content off-host.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill is presented as a quantitative trading analysis system, but the documentation also includes outbound messaging across SMTP, WeCom, Feishu, DingTalk, Telegram, and Webhook, plus local config reading and deployment/test script execution. This broader behavior increases attack surface and can surprise users or platforms that expected analysis-only functionality; notification channels and scripts can be abused for data exfiltration, spam, or unsafe execution paths if enabled without strong controls. Because this is a finance-related skill handling potentially sensitive watchlists, signals, and account-adjacent configuration, the mismatch makes the behavior more dangerous rather than less.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The test harness claims emails will not be sent because enabled=False, but the actual sample configuration sets enabled=True. If a user replaces placeholder credentials with real ones and runs the file, it can unexpectedly send live emails containing trading or system information, creating unintended external data disclosure.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The API contract says callers can target specific channels, but the implementation ignores that intent and the send loop broadcasts queued messages to all enabled notifiers. This can cause sensitive trading signals, account data, or risk alerts to be sent to unintended external platforms, creating accidental data leakage and over-sharing across third-party services.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The document recommends adding multi-channel notifications and custom webhooks but does not warn that stock data, prompts, account identifiers, or other sensitive operational content may be sent to third-party services. In a trading/analysis skill, this increases the chance that users will implement outbound integrations that leak confidential signals, portfolio information, or internal analysis results without proper review.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document advises integrating OpenAI API for analysis without warning that prompts, market data, user questions, and possibly proprietary trading logic could be transmitted to an external provider. In the context of a quant-trading skill, this is more dangerous because strategy details and watchlist-related data may be commercially sensitive, and accidental disclosure to third parties can create compliance, privacy, and intellectual-property risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document promotes SMTP-based email notifications without warning that trade signals, portfolio state, or operational alerts may be transmitted to external mail infrastructure. In a quantitative trading context, this can expose sensitive financial data or credentials if users configure insecure SMTP settings, shared inboxes, or third-party relays without understanding the risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quick-start section encourages users to copy files and run a trading analysis pipeline immediately, and the conclusion says the system can be put into use right away, without prominent warnings about validating strategy logic, sandbox testing, or the possibility of affecting real funds. In the context of an automated trading skill, this is more dangerous than ordinary software documentation because users may operationalize unverified signals or connect the system to real trading workflows prematurely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide instructs users to enable SMTP notifications and place sender credentials and recipient addresses directly in configuration/examples, but it does not clearly warn that trading signals, portfolio-related information, and personal email metadata will be transmitted to a third-party mail provider and may be exposed through logs, screenshots, repo commits, or misconfigured storage. In a quant-trading skill, this is more sensitive than generic app email because it can leak financial activity, account identifiers, and operational behavior to unintended parties.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide shows configuring an external AI API key for image recognition directly in YAML without clearly warning users to protect the secret or that uploaded images/data may be sent to an external provider. In this trading context, screenshots, charts, or related artifacts could contain proprietary strategies or market decisions, so silent external transmission increases confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document specifies an email notification feature that sends trading signals, positions, prices, PnL, and risk details to external recipients, but it does not include any warning, consent flow, data-classification guidance, or security/privacy controls around that transmission. In a quantitative trading system, these messages can expose sensitive portfolio and strategy information to third-party mail providers or misaddressed recipients, increasing confidentiality and operational risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly instructs users to run a deployment shell script from /tmp and then execute follow-up scripts, but provides no warning that the script may install software, modify the system, create files, or change the execution environment. In an agent-skill context, operational docs are often treated as trusted guidance, so encouraging shell execution without describing side effects increases the risk of unintended system modification or abuse if the script content is unsafe or replaced.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation tells users to configure and use email notifications without warning that enabling this feature may transmit trading signals, operational status, or other potentially sensitive data to external email infrastructure. In this skill's context, outbound notifications can expose financial activity or system details, especially if recipients, SMTP settings, or message contents are misconfigured.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The module transmits potentially sensitive trading data, holdings, and system alerts over SMTP to external recipients without any explicit privacy warning, data-classification control, or minimization. In a quant-trading context, such outbound disclosures can expose portfolio positions, performance, and operational status to unintended parties if misconfigured or abused.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal