ClawHub
Back to skill

Security audit

quant_trading-skills

Security checks across malware telemetry and agentic risk

Overview

This finance data skill is mostly coherent, but it needs Review because batch modes can write to caller-chosen local paths and one advertised sentiment feature returns mock news as if it were fetched data.

Install only if you are comfortable with local batch data collection. Use a virtual environment, keep output and status paths inside the skill’s own data/config directories, avoid custom status_file or data_path values, monitor disk/network usage for batch jobs, and do not rely on single-stock public_opinion output for real financial sentiment until it is fixed or clearly labeled as mock data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Tainted flow: 'status_file' from sys.stdin.read (line 131, user input) → open (file write)

Medium
Category
Data Flow
Content
def write_status(status_file: str, status: Dict[str, Any]) -> bool:
    try:
        os.makedirs(os.path.dirname(status_file), exist_ok=True)
        with open(status_file, 'w', encoding='utf-8') as f:
            json.dump(status, f, ensure_ascii=False, indent=2)
        return True
    except IOError:
Confidence
95% confidence
Finding
with open(status_file, 'w', encoding='utf-8') as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises code-capable behaviors such as file reads, file writes, and shell-based installation/execution, but does not declare any permissions or clearly constrain those capabilities. In an agent environment, hidden or undeclared capability expansion is dangerous because users may invoke what appears to be a simple data-query skill while it actually performs local persistence, state changes, and external command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The documented purpose is data retrieval, but the skill also describes broader behaviors: large-scale batch collection, persistent local Parquet storage, fetch-status tracking, and retrieval of full A-share code lists. This mismatch is risky because users and calling systems may grant trust or invoke the skill assuming read-only lookup behavior, while it can consume significant resources and alter local state beyond the declared scope.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The top-level description frames the skill as merely 'getting quantitative data,' yet the document defines durable local storage, incremental status tracking, and overwrite behavior for Parquet files. That discrepancy matters because it conceals stateful side effects and creates risk of unexpected disk usage, data retention, and modification of local files in environments expecting a stateless fetch-only tool.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill exposes batch leaderboard and northbound-flow collection paths that go beyond the stated query-oriented financial lookup purpose and accept filesystem-related parameters. In an agent environment, this expands capability from simple data retrieval to bulk export and local file writing, which can be abused for unintended persistence, excessive data extraction, or writing to unauthorized locations depending on downstream implementations.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This batch operation accepts caller-controlled status_file and data_path values, which is dangerous if downstream functions read from or write to the filesystem using those paths. In a skill that is supposed to query financial data, exposing arbitrary path parameters creates a path traversal / unauthorized file access surface and also enables bulk data export behavior outside the expected scope.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Additional batch operations also forward caller-supplied status_file and data_path parameters directly into backend processing. That widens the attack surface across multiple code paths and increases the chance of arbitrary file overwrite, unintended file creation, or reading sensitive local state if the underlying batch functions trust these paths.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function is presented as fetching public-opinion data but actually returns fixed mock entries that look like live financial news. In a quant-trading skill, this can mislead downstream agents or users into treating fabricated sentiment data as real market intelligence, potentially driving incorrect investment analysis or automated decisions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The markdown describes large-scale batch pulls, persistent local files, incremental state, and overwrite-based deduplication without prominent warnings about storage growth, runtime, or side effects. In agent settings, this can lead to unexpected resource exhaustion, long-running jobs, and silent local data accumulation from seemingly routine requests.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal