ClawHub

Stock-Decision

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill matches its stated purpose, but it needs review because crafted stock names or codes can be passed into local shell commands.

Review before installing. Use only plain stock names or standard ticker codes, avoid private portfolio details, and verify the westock-data dependency. The publisher should remove shell=True, pass subprocess arguments as arrays, validate ticker inputs, and clarify which macro and backtest features are actually implemented.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""搜索股票"""
        print(f"\n🔍 搜索股票: {self.stock_input}")
        cmd = f"node ~/.workbuddy/skills/westock-data/scripts/index.js search '{self.stock_input}'"
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

        if result.returncode == 0:
            output = result.stdout
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 获取K线数据
        cmd = f"node ~/.workbuddy/skills/westock-data/scripts/index.js kline {self.stock_code} daily {days} hfq"
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

        if result.returncode == 0:
            try:
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
end_date = datetime.now().strftime('%Y-%m-%d')
        start_date = (datetime.now() - timedelta(days=days)).strftime('%Y-%m-%d')
        cmd = f"node ~/.workbuddy/skills/westock-data/scripts/index.js technical {self.stock_code} ma,macd,kdj,rsi,dmi,vol,boll {start_date} {end_date}"
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

        if result.returncode == 0:
            try:
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document markets the skill as providing comprehensive analysis, including macro assessment and historical backtesting, but later admits those capabilities are not implemented. In a stock recommendation skill, this mismatch can mislead users or downstream agents into overtrusting outputs and making financial decisions on incomplete analysis.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The version history states that macro analysis and the comprehensive scoring system are still pending, contradicting earlier sections that present them as active features. This inconsistency increases the risk that users, integrators, or autonomous agents will rely on nonexistent safeguards or decision logic.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
User-controlled stock input is interpolated directly into a shell command intended for a data lookup. Because the skill context is a stock-analysis tool, users would not expect arbitrary command execution capability, so this expands the tool's power far beyond its stated scope and enables host compromise.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger examples include very broad phrases such as asking to judge whether a stock is suitable to buy, which can match generic user requests beyond a tightly scoped invocation pattern. Over-broad activation can cause the skill to run unintentionally in unrelated conversations, increasing the chance of unsolicited financial guidance or context-inappropriate tool use.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill executes a shell command on behalf of untrusted user input without any warning, confirmation, or isolation. In this context, that is dangerous because the feature is presented as harmless stock analysis while actually exposing command-execution behavior to whoever supplies the stock name.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal