Back to skill

Security audit

eastmoney skills

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed simulated stock-trading helper, but its cancel and trade flows can change account state directly, including canceling all open orders from broad wording without confirmation.

Install only if you intend to connect a 妙想 simulated trading account. Keep MX_APIKEY secret, leave MX_API_URL pointed at the legitimate provider endpoint, avoid vague buy/sell/cancel wording, and treat the output directory as sensitive because it stores raw account results. Be especially careful with cancel requests, since this version can cancel all open simulated orders from broad cancel wording.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tainted flow: 'url' from os.environ.get (line 54, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}
    
    try:
        response = requests.post(url, headers=headers, json=payload, timeout=30)
        response.raise_for_status()
        return response.json()
    except requests.exceptions.RequestException as e:
Confidence
96% confidence
Finding
response = requests.post(url, headers=headers, json=payload, timeout=30)

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The documentation adds automatic local output files containing extracted text and raw JSON, which is not necessary for core simulated trading actions and increases data exposure. Those files may contain portfolio, order history, balances, or identifiers and can persist in shared or insufficiently protected workspaces.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill writes account balances, holdings, orders, and trade results to local files under /root/.openclaw/workspace/mx_data/output without any minimization, consent, retention control, or access restriction. These files can expose sensitive financial activity to other local processes, future sessions, or anyone with filesystem access. Because this is a trading simulator handling account data, silent persistence materially increases privacy and data exposure risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents buy, sell, and cancel operations without a prominent warning that they change simulated account state and may submit or revoke orders. In an agent setting, this can cause unintended execution of high-impact account actions if the assistant infers intent too aggressively or the user does not realize a command is state-changing.

Missing User Warnings

High
Confidence
98% confidence
Finding
Natural-language input containing words like '撤单' or 'cancel' immediately triggers a bulk cancel payload of {'type': 'all'} with no confirmation, scope selection, or dry-run. This creates a high-risk unsafe-action path where ambiguous or maliciously crafted prompts can cancel all outstanding orders. In a trading context, even a simulator can train unsafe behavior patterns and may still affect real user workflows or linked systems.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script parses natural-language text for stock codes, quantities, and price hints, then directly submits buy/sell requests to the trade endpoint without an explicit confirmation step. Ambiguous phrasing, prompt injection through upstream agent workflows, or user misunderstanding could lead to unintended trades. This is especially dangerous in a financial-action skill because the core capability is transaction execution, not just read-only retrieval.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill silently writes sensitive account and trading results to disk without notifying the user. This can expose financial data beyond the immediate session and create an unexpected audit trail or privacy leak on shared systems. The trading context increases sensitivity because holdings, balances, and order history are financially valuable data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.