Security audit

TZZB Analyzer - Tonghuashun Portfolio Analyzer

Security checks across malware telemetry and agentic risk

Overview

This portfolio-analysis skill is coherent, but it needs review because it accesses a logged-in browser session and saves sensitive financial data locally by default.

Install only if you are comfortable letting the skill use a logged-in Tonghuashun/TZZB browser session and store portfolio details on disk. Prefer an isolated Chrome profile, keep CHROME_DEBUG_URL local, avoid shared machines, periodically clean data/ and memory/, and verify any investment recommendations before acting on them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (15)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: if sys.platform.startswith("win"): creationflags = subprocess.CREATE_NEW_PROCESS_GROUP | subprocess.DETACHED_PROCESS proc = subprocess.Popen( args, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
Confidence: 88% confidence
Finding: proc = subprocess.Popen( args, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, close_fds=True, creatio

Tainted flow: 'args' from os.getenv (line 102, credential/environment) → subprocess.Popen (code execution)

Medium

Category: Data Flow
Content: try: if sys.platform.startswith("win"): creationflags = subprocess.CREATE_NEW_PROCESS_GROUP | subprocess.DETACHED_PROCESS proc = subprocess.Popen( args, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
Confidence: 95% confidence
Finding: proc = subprocess.Popen( args, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, close_fds=True, creatio

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill documentation indicates access to environment variables, local files, network resources, and shell execution, yet it does not declare permissions in a dedicated, user-visible way. This weakens consent and review boundaries: a user may invoke a portfolio-analysis skill without realizing it can read sensitive account-adjacent data, write state/config files, and connect to local browser debugging endpoints.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The stated purpose focuses on portfolio analysis, but the documented behavior extends to local Chrome remote-debugging interaction, service-status checks, scheduled report generation, and ingestion of externally injected news. That mismatch is dangerous because users may authorize a seemingly narrow analysis skill that actually exercises broader local-system and data-ingestion capabilities, increasing the risk of unintended access or abuse.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The report presents materially inconsistent cost-basis and P&L data for the same holding, first stating cost 5.26 with zero floating profit/loss and later stating cost 5.21 with a +8 yuan gain. In an investment-analysis skill, contradictory portfolio metrics can mislead users into making trading decisions based on inaccurate account state, especially when paired with explicit hold/observe recommendations.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script persists generated reports and Feishu-formatted data under the local data directory, which contains sensitive portfolio, holdings, and trade information. Because the skill description emphasizes reading account data and generating analysis, silently writing those results to disk expands data retention and exposure beyond a read-only expectation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill handles highly sensitive financial context: holdings, watchlists, and transaction history can reveal net worth, strategy, risk tolerance, and personal behavior. Failing to clearly warn users that this data is read from brokerage-related context undermines informed consent and can lead to oversharing or unsafe deployment in shared or automated environments.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The positions command writes portfolio data to a local file under DATA_DIR without any explicit warning, consent, or retention controls. Because holdings data is sensitive financial information, silent persistence increases the risk of local disclosure to other users, malware, backups, or later unintended reuse.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The analyze command saves both the full analysis report and raw positions to disk without explicit disclosure, even though the contents include sensitive financial holdings and derived insights. In the context of an investment-account analysis skill, this materially increases privacy risk because users may expect transient processing rather than local archival.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The script persists generated reports and Feishu-formatted output under the local data directory, and those reports contain sensitive financial information such as assets, positions, profits, and trading activity. In an investment-account analysis skill, that context makes local persistence more sensitive because compromise of the host, backups, logs, or shared workspace could expose private account data.

Missing User Warnings

High

Confidence: 98% confidence
Finding: This function extracts authenticated cookies from the user's live browser session and returns them as a dictionary, including cookies for `.10jqka.com.cn` domains. Cookie exfiltration is highly sensitive because those values may enable session hijacking or unauthorized access to the user's financial account data, and the skill context makes this especially dangerous.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code issues authenticated requests from the browser session to retrieve the user's watchlist using the active login state, without any visible consent gate or notice in this file. Although this may be core functionality, it accesses private account-linked data and can silently transmit it to the tool, which is sensitive in an automation/agent setting.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This code performs authenticated account discovery and stock-position queries from the user's logged-in browser context. Because it retrieves private financial holdings data, unauthorized use or downstream leakage could expose highly sensitive investment information, and the financial-analysis skill context raises the severity of that privacy risk.

Missing User Warnings

High

Confidence: 96% confidence
Finding: This routine extracts detailed trade history from an authenticated account page, including dates, securities, prices, quantities, and fees. Trade history is extremely sensitive financial data; in an agent skill, silent collection from a live browser session can materially violate user expectations and create serious privacy and account-security exposure if mishandled.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This code directly accesses a logged-in browser session and extracts highly sensitive financial data including watchlists, positions, and trade records, but this file contains no consent prompt, disclosure, or scope-limiting control before collection. In the context of an agent skill, silently reading brokerage-like data from an existing authenticated session increases the risk of privacy violations and unauthorized collection if invoked without the user's clear understanding.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal