ClawHub

港股美股监控

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward market-monitoring skill with minor disclosure and portability issues around its saved state file.

Install only if you want a local market monitor. Use a Python virtual environment instead of --break-system-packages, review or change the hard-coded state-file path before running regularly, and add the cron entry only if you intentionally want periodic background monitoring.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
79% confidence
Finding
The skill documentation indicates persistent state is written to `memory/stocks_monitor.json`, but no permissions are declared to inform users or host systems that file-write behavior occurs. Undeclared write capability reduces transparency and can bypass least-privilege expectations, especially in agent environments where skills are expected to explicitly declare side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented behavior overstates capabilities and omits material side effects: it claims customizable watchlists and alerting, but the actual behavior appears limited to a hardcoded stock list while also persisting monitoring state locally. This kind of mismatch is dangerous because users and orchestration systems may trust the declared purpose when deciding whether to install or invoke the skill, leading to uninformed acceptance of undisclosed storage behavior and incorrect operational assumptions.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The script writes data to a hard-coded absolute path under a workspace memory directory without validating that the location is appropriate for the current environment or that the user expects persistence there. This can create privacy and integrity issues by silently storing activity in a shared or sensitive location, and it may overwrite existing files if path assumptions are wrong.

Missing User Warnings

Low
Confidence
71% confidence
Finding
The markdown names a persistent state file but does not clearly warn that the skill writes data to disk during periodic execution. In scheduled contexts such as cron, silent disk writes can accumulate over time and may surprise users who expected a read-only market-monitoring tool.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill silently writes monitoring state to a fixed local file without any user-facing warning, opt-in, or documentation. Even though the stored content is not highly sensitive, undisclosed persistence can surprise users, leak behavioral information, and violate principle-of-least-astonishment in an agent skill environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal