ClawHub
Back to skill

Security audit

SEC 13F Whale Tracker

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward SEC filings tracker that fetches public EDGAR data and writes local reports, with a network proxy caveat users should understand.

Install it in an isolated virtual environment, review whether bypassing proxy variables is acceptable on your network, and enable cron or channel posting only if you intentionally want recurring SEC report generation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes shell commands, creates a virtual environment, installs Python dependencies, accesses environment variables, writes local files, and makes outbound network requests to SEC EDGAR, but it declares no permissions. This mismatch is a real security issue because users and orchestrators cannot accurately assess or constrain the skill's capabilities, increasing the risk of unintended code execution, network access, and filesystem modification.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script deletes proxy-related environment variables process-wide before issuing network requests, which changes the host application's network policy rather than just configuring this one HTTP client. In environments that rely on proxies for egress control, logging, DLP, or SSRF containment, this can bypass expected monitoring and routing and affect other code running in the same process.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal