Quant Stock

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill mostly matches its purpose, but it needs Review because it can persistently run and automatically send reports to hardcoded Feishu/OpenClaw chat targets.

Review before installing. Use this only if you are comfortable with automated stock reports and failure notifications being sent to Feishu/OpenClaw targets embedded in the scripts; edit or remove those IDs first. Avoid running scripts/install_cron.sh unless you explicitly want persistent scheduled execution, and verify the missing update_hot.sh reference and the exact cron schedule.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill documentation describes executable capabilities that include reading and writing local files and making network requests, but it does not declare corresponding permissions. This creates a transparency and consent problem: a user or hosting platform may treat the skill as lower risk than it actually is, while it can access credentials, modify local artifacts, and transmit data externally.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The declared purpose frames the skill as a stock analysis/reporting tool, but the documented behavior includes external message delivery, scheduled persistence via cron, stock-pool maintenance, multi-source news retrieval, and credential-based authentication to Feishu. This mismatch is dangerous because users may approve or run the skill without realizing it installs recurring tasks, uses secrets, and sends outputs or alerts to third parties.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script alters the user's crontab to create persistent scheduled execution, which is behavior beyond simple one-time stock analysis/report generation. Even if intended for convenience, modifying host persistence mechanisms expands the skill's privileges and can surprise users, creating ongoing execution and a larger attack surface if the workspace or called scripts are later changed.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Installing persistent scheduled jobs in the host environment is a meaningful capability escalation relative to the stated purpose of stock selection analysis. In this context, the danger is increased because the scheduled jobs run automatically on weekdays and weekly, enabling continued code execution without further user interaction.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill does more than local stock analysis: it authenticates to Feishu and sends the generated report to an external chat. In an agent-skill context, this is dangerous because it expands the skill's data-handling scope beyond its stated purpose and can leak generated outputs to third-party services without explicit user awareness.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code is wired to use external messaging credentials and a hard-coded Feishu chat destination, which is unrelated to the core computation of stock scoring. In a skill environment, hidden credential use plus outbound messaging creates a real risk of unauthorized disclosure and operational misuse if the skill is run automatically.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script exfiltrates generated stock reports and failure notifications to an external Feishu recipient using a hard-coded target ID, but this outbound messaging behavior is not disclosed by the skill description. Undisclosed data transmission is dangerous because users may assume the tool only performs local analysis, while sensitive outputs, operational status, or embedded data can be silently sent to a third party.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Invoking an external messaging CLI to push report contents expands the skill from analysis into external communication, which is not clearly necessary from the stated stock-picking purpose. This creates a data-loss channel and increases abuse potential because any report content produced by the Python engine is automatically forwarded off-system without validation or user awareness.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill notes that Feishu push is automatic, but the description does not clearly warn that reports are sent to an external group chat, which can expose analysis results and potentially related metadata to third parties. In a financial-analysis context, even non-PII outputs may be commercially sensitive, and silent sharing increases the risk of unintended disclosure.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script installs the generated crontab non-interactively, replacing the user's crontab contents with a modified version and providing no confirmation prompt or dry run. This is dangerous because users may not realize persistent jobs are being added, and any mistake in the filtering or file generation logic can remove or alter unrelated scheduled tasks.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill loads Feishu credentials from a local config file and exchanges them for an access token without any user-facing disclosure. In this context, undisclosed credential-backed network authentication is risky because users may believe the skill is purely analytical while it is actually interacting with an external platform under privileged app credentials.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script sends the full report content to Feishu without any user-facing warning, prompt, or disclosure at the point of transmission. Silent transmission is risky because reports may contain proprietary analysis, trading signals, or unexpected sensitive data generated downstream, and users are given no chance to review or block the outbound send.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal