ClawHub

Fund Advisor

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate fund-advisor skill, but it deserves Review because it can erase local portfolio records and change global tool configuration without strong confirmation or recovery safeguards.

Install only if you are comfortable giving the skill access to your fund holdings and a qieman API key. Before importing, keep your own backup because CSV, Excel, and reset flows can replace or delete all local holdings. Review ~/.mcporter/mcporter.json after init, and avoid sending full account identifiers, balances, family finances, or other unnecessary personal data to qieman-mcp or into shared chat/log contexts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The importer unconditionally calls clear_all_holdings() before processing the CSV, so a routine import operation destroys all previously stored portfolio data. In a fund-holding management skill, this is especially dangerous because malformed, partial, or accidental imports can irreversibly replace a user's entire investment record, causing integrity loss and potentially misleading downstream analysis and advice.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code writes to the user's global ~/.mcporter/mcporter.json configuration as part of environment initialization, which changes host state outside the skill's own scope. For a fund-advisor skill, silently modifying a global CLI config can have broader effects on other tools and sessions, especially because no explicit consent or backup/merge safety is enforced beyond a best-effort JSON load.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill manages local CLI tooling state and executes an external mcporter command even though the declared purpose is fund advisory and data/query functionality. This is dangerous because it extends the trust boundary from data access into local system interaction, increasing the chance of unintended side effects or abuse through compromised external tooling.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The import routine unconditionally calls clear_all_holdings() before validating and importing all rows, so a malformed, partial, or attacker-supplied Excel file can wipe the user's entire portfolio dataset. In a fund-holding management skill, this is especially dangerous because the feature is described as import/management functionality, not destructive full replacement, and the deletion occurs without any visible confirmation or transactional rollback.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation condition says the skill should be prioritized whenever the user's question falls within its covered scope, but the scope is very broad. Overbroad triggering can cause the agent to invoke a shell-capable, data-importing skill in situations where the user did not clearly request local file operations or external data access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The import commands state that incoming CSV or Excel data will overwrite the locally stored database, but the documentation does not require a confirmation, backup, or warning about destructive replacement. A mistaken file selection or accidental invocation could erase prior holdings data and silently replace it with incorrect data.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill combines imported personal holdings with qieman-mcp queries and synchronization, implying that sensitive financial portfolio data may be transmitted to an external service. Without a privacy notice, consent flow, or data-minimization guidance, users may unknowingly expose detailed investment information to third parties.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
These sections describe tools that analyze family structure, assets, liabilities, income, expenses, cash flow, and portfolio risk, which are all highly sensitive financial data categories. The document provides direct invocation examples with raw personal financial inputs but does not include any warning about sensitivity, consent, minimization, retention, or safe handling, increasing the chance that an agent or user will transmit excessive personal data into the toolchain without adequate safeguards.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The `reset` command irreversibly clears all holdings immediately, without a confirmation prompt, dry-run, or force flag. In a financial portfolio management CLI, accidental invocation can destroy user portfolio records and impair analysis, synchronization, and decision-making, even if this is not a remote-code or privilege-escalation issue.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code places the API key directly into the SSE connection URL query string. Query parameters are commonly exposed through logs, proxy records, browser/history surfaces, monitoring tools, and exception messages, which increases the chance of credential leakage even if HTTPS is used. In this skill context, the risk is more meaningful because the skill handles financial data and likely connects to third-party fund services using privileged credentials.

Missing User Warnings

High
Confidence
98% confidence
Finding
Clearing all existing holdings without any confirmation or warning is a destructive state-changing behavior that violates user expectations for an 'import' feature. In this skill's context, holdings are sensitive financial records, so silent deletion can cause significant data loss and corrupt portfolio tracking, reporting, and investment decisions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill writes to the user's mcporter configuration file without an explicit warning or confirmation at the point of modification. Silent persistent changes to global config are risky because they can alter future behavior of unrelated workflows and make it harder for users to understand or revoke what the skill changed.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The code executes an external mcporter subprocess without explicit user-facing disclosure. Even though the command arguments are fixed here, invoking local executables broadens the attack surface because execution depends on the installed binary and environment, which may be tampered with or behave unexpectedly.

Missing User Warnings

High
Confidence
97% confidence
Finding
This code clears all existing holdings before processing the workbook and provides no in-code safeguard, warning, or confirmation path. If import later fails, the user can suffer irreversible data loss or silent state corruption, which is a meaningful security/integrity issue for financial portfolio records.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code renders and exports highly sensitive financial data including fund_account, trade_account, holdings, asset values, and related portfolio details directly to table or JSON output with no authorization check, masking, consent prompt, or context-sensitive disclosure control in this layer. In an agent skill that may be invoked in response to user queries, this creates a real risk of exposing private investment data to an unintended viewer, downstream tool, log sink, or chat transcript.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
show_fund_detail exposes per-user holdings tied to specific fund_account and trade_account identifiers, along with holding shares and asset value, again without any visible access control, redaction, or user-warning boundary in the presentation path. Because this skill is a fund advisor handling personal portfolio data, the context makes this more dangerous: the disclosed data is inherently sensitive financial information and could enable privacy violations, account correlation, or targeted fraud if surfaced to the wrong party.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pytest>=7.0.0

# Data handling
openpyxl>=3.1.0

# Database
# sqlalchemy>=2.0.0  # 简单项目直接使用sqlite3
Confidence
88% confidence
Finding
openpyxl>=3.1.0

Known Vulnerable Dependency: openpyxl — 2 advisory(ies): CVE-2017-5992 (Improper Restriction of XML External Entity Reference in Openpyxl); CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which allows remote attack)

High
Category
Supply Chain
Confidence
94% confidence
Finding
openpyxl

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal