ClawHub
Back to skill

Security audit

A股当日机构消息

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple stock-news report generator that fetches one disclosed external feed, with no evidence of local data access, persistence, or destructive behavior.

Safe to install for summarizing daily stock-market institutional messages, but treat it as an unverified news digest rather than investment advice. Be aware it contacts a specific external HTTP API, so confirm important market or company claims with trusted sources before making decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are broad enough to match common requests like '今天有什么重要消息' or '看一下今天的股市消息', which can cause the skill to activate unexpectedly instead of a more appropriate default workflow. In this skill, unintended activation is more concerning because it leads to external data retrieval and finance-related summarization, potentially bypassing user expectations about source selection and tool use.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill fetches data from an external API over plain HTTP without warning the user in the skill description. This creates both transparency and security problems: users are not informed that third-party content is being retrieved, and plain HTTP allows interception or tampering with the returned financial news feed, which could manipulate the generated report.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.