ClawHub

Skills of A-share announcement data released by ft.tech.

Security checks across malware telemetry and agentic risk

Overview

This skill transparently queries A-share announcement and research-report data and can save requested PDFs locally.

Before installing, understand that using this skill runs included Python scripts, contacts market.ft.tech, and may save PDFs locally when you request downloads. Use only the documented subskills and choose output filenames deliberately to avoid overwriting files in the skill working directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill instructs the agent to derive and execute a local `run.py` via `python <RUN_PY> ...`, and the documented workflow also includes reading sibling files and making network requests, but the skill declares no permissions. This creates an undeclared capability boundary: a caller or reviewer may believe the skill is data-only when it can actually read local files, invoke a shell/Python process, and access remote resources.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill supports `--output announcement.pdf` to save downloaded PDFs locally but does not warn that this creates or overwrites files on disk. In an agent context, silent local file creation can unexpectedly clobber existing files or write into unsafe locations if the output name is user-influenced.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The report-download flow similarly allows saving PDFs via `--output report.pdf` without any notice about local file creation or overwrite behavior. Even if intended, undocumented writes increase the chance of accidental data loss or misuse when output filenames are supplied dynamically.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal