Back to skill

Security audit

Ripe Scanner

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate market scanner, but it needs Review because it claims local/no-key operation while making external requests and silently using a Tavily API key if one is present.

Review before installing. Use it only if you are comfortable with ticker searches and market-interest patterns being sent to third-party services, avoid setting TAVILY_API_KEY unless you intentionally want Tavily-backed Reddit sentiment, install dependencies in an isolated Python environment, and delete ~/.openclaw/workspace/memory/ripe_scanner if you do not want local scan history retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Tainted flow: 'req' from os.environ.get (line 245, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
}).encode()
        req = urllib.request.Request('https://api.tavily.com/search', data=data,
                                     headers={'Content-Type': 'application/json'})
        resp = json.loads(urllib.request.urlopen(req, timeout=10).read())
        posts = resp.get('results', [])
        if not posts:
            return None
Confidence
98% confidence
Finding
resp = json.loads(urllib.request.urlopen(req, timeout=10).read())

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and documents network access plus persistent file writes, yet the metadata shown does not declare permissions. Undeclared capabilities reduce user visibility and bypass informed consent, especially because the skill writes snapshots/logs under the workspace and reaches external data sources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared purpose is a market scanner, but the documented behavior extends to persistent local history, longitudinal performance tracking, snapshot comparison, and use of a different external search/API path than the user would expect from the description. This mismatch undermines transparency and can cause users to authorize a tool without understanding that it stores data over time and accesses broader external services.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The header claims 'Zero API cost, fully local computation,' but the implementation performs multiple live network requests to Wikipedia, Yahoo Finance, StockTwits, and optionally Tavily. This mismatch can mislead users into running a networked skill in contexts where they expect no external data transfer or third-party dependence.

Context-Inappropriate Capability

Low
Confidence
94% confidence
Finding
The skill accesses an environment-stored API credential even though its stated purpose does not disclose secret handling. In an agent environment, undisclosed credential access is risky because users may grant execution assuming the tool only analyzes public market data.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The README emphasizes 'No API keys. No rate limits. Runs locally.' while not clearly warning that the skill still pulls data from external market and social platforms such as yfinance, StockTwits, and Reddit. This can mislead users about privacy, network access, reliability, and compliance expectations, especially in agent environments where outbound requests may be sensitive or restricted.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger text is broad enough to activate on ordinary investing conversations, increasing the chance the skill runs when the user did not intend to invoke a networked, stateful scanner. Over-broad routing is a security concern because it widens exposure to external requests and disk writes beyond narrowly scoped user consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The markdown states that daily snapshots and signal logs are stored persistently in the workspace, but it does not present this as a clear warning or consent point to the user. Silent persistence can accumulate sensitive behavioral or financial-interest data over time and surprises users who may expect a transient analysis tool.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The Tavily API key is transmitted to an external service without any explicit notice to the user. Even if needed for legitimate authentication, silent use of environment secrets in outbound requests violates least surprise and increases the chance of unauthorized credential use in shared agent environments.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill writes snapshots and signal history under the user's home directory without clear notice. This creates persistent local data retention that users may not expect, potentially exposing trading interests or usage history to other local processes or future sessions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.