ClawHub

stock-valuation-monitor

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed stock and ETF valuation helper that fetches public market data, with privacy and dependency-hygiene notes but no evidence of hidden persistence, credential use, account access, or destructive behavior.

Install only if you are comfortable with stock or ETF symbols being queried through external finance data services. Treat the outputs as research aids, not financial advice, and prefer a locked or reviewed dependency set in managed or enterprise environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill declares external market data sources and Python dependencies such as requests and akshare, which implies network access, but no permissions are declared. Undeclared network capability weakens transparency and policy enforcement because the host cannot clearly constrain or review outbound data access behavior.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill makes outbound requests to multiple third-party market-data providers based on user-supplied stock codes, but the handler contract does not clearly disclose that user queries will be sent to external services. This can expose user interest patterns and query contents to third parties, which is a privacy and data-governance risk, especially in enterprise or regulated environments.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list contains broad finance phrases such as investment opportunity and risk assessment alongside regex-like stock-code patterns, which can cause the skill to activate on ordinary financial discussion rather than a clear user request for this tool. In a finance skill, unintended invocation is more concerning because it may insert analysis or investment-oriented output into general conversation and increase the chance of inappropriate or misleading assistance.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
pandas>=1.5.0
numpy>=1.21.0
akshare>=1.10.0  # 可选,用于历史数据
Confidence
95% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
pandas>=1.5.0
numpy>=1.21.0
akshare>=1.10.0  # 可选,用于历史数据
openpyxl>=3.0.0  # 可选,用于Excel导出
Confidence
95% confidence
Finding
pandas>=1.5.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
pandas>=1.5.0
numpy>=1.21.0
akshare>=1.10.0  # 可选,用于历史数据
openpyxl>=3.0.0  # 可选,用于Excel导出
Confidence
95% confidence
Finding
numpy>=1.21.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
93% confidence
Finding
requests

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
84% confidence
Finding
numpy

Known Vulnerable Dependency: openpyxl — 2 advisory(ies): CVE-2017-5992 (Improper Restriction of XML External Entity Reference in Openpyxl); CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which allows remote attack)

High
Category
Supply Chain
Confidence
90% confidence
Finding
openpyxl

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal