ClawHub

Xia China Stock Analysis

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform the advertised stock-analysis work, with expected external market/news lookups and local watchlist/report files.

Install only where you are comfortable sending stock and news queries to external finance/search services. Review any local mcporter, Tavily, node, uv, yfinance, or akshare setup before enabling those fallbacks, and clear local watchlist or analysis-log files if your research history is sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def search(self, query: str, max_results: int = 5) -> Optional[NewsSearchResult]:
        try:
            # 调用 mcporter
            result = subprocess.run(
                ['mcporter', 'call', 'zhipu-search.web_search_prime', '--arg', f'query={query}'],
                capture_output=True,
                timeout=30,
Confidence
89% confidence
Finding
result = subprocess.run( ['mcporter', 'call', 'zhipu-search.web_search_prime', '--arg', f'query={query}'], capture_output=True, timeout=30,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            # 调用 Tavily 脚本
            result = subprocess.run(
                ['node', str(self.tavily_script), query, '--max-results', str(max_results)],
                capture_output=True,
                timeout=30,
Confidence
90% confidence
Finding
result = subprocess.run( ['node', str(self.tavily_script), query, '--max-results', str(max_results)], capture_output=True, timeout=30,

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions while its documented behavior and detected capabilities include network, shell, file read/write, and MCP access. This creates a transparency and policy-enforcement gap: an agent or reviewer may treat the skill as low-risk when it can actually execute commands, persist data, and reach external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is stock analysis, but the detected behavior extends to persistent storage, subprocess spawning, logging/audit trails, and use of local tools/services beyond what a user would reasonably expect. This mismatch is dangerous because it can hide expanded execution and data-handling scope, increasing the risk of unintended command execution, sensitive local data exposure, or covert persistence.

Context-Inappropriate Capability

Medium
Confidence
75% confidence
Finding
The stock data manager performs an external CLI execution (`mcporter --help`) that is unrelated to returning market price DataFrames. In an agent environment, invoking an unexpected external tool expands the attack surface and can execute an attacker-controlled binary if PATH or the runtime environment has been tampered with.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The module fulfills a news-search feature by launching external local programs, which increases capability beyond ordinary stock/news analysis. In an agent context, that matters because any local program execution widens the trust boundary and can become a pivot point if those executables are replaced, misconfigured, or unsafe with crafted input.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Running a local Node.js search script adds an unnecessary local code-execution dependency for a news-search workflow. In this skill context, that is more dangerous because agent-supplied queries can reach local code paths, and compromise of the script or its runtime would affect the host rather than only an external search service.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The activation text is broad enough to trigger on generic finance discussions, which can cause the skill to activate unexpectedly and grant access to networked data retrieval, shell scripts, or persistent watchlist features in contexts where the user did not intend it. Over-broad routing increases the chance of unnecessary tool use and expands exposure to the skill's higher-risk capabilities.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The save_log method writes detailed analysis history and summary data to disk under a persistent memory directory without any consent, notice, retention control, or redaction. In an agent skill handling investment research, queries, stock interests, errors, and step metadata may reveal sensitive user behavior or proprietary prompts, so silent persistence increases privacy and data-leak risk if the host is multi-tenant or logs are later exfiltrated.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The script accepts an arbitrary output path and writes to it directly, creating parent directories as needed and overwriting existing files without warning. In an agent or automated context, this can be abused to clobber user files within the agent's permissions, especially if untrusted input can influence the output path.

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
85% confidence
Finding
requests

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal