ClawHub

Stock Data Monorepo

Security checks across malware telemetry and agentic risk

Overview

This stock-data skill mostly matches its stated purpose, but it needs review because it can spawn OpenClaw subagents and create persistent local reports while some data fallbacks are under-disclosed.

Install only if you are comfortable with a stock-research skill making external market/news queries, using browser automation, creating local Desktop/workspace report files, and invoking OpenClaw CLI/subagent workflows. Review generated reports before relying on them for financial decisions, especially where fallback data may come from cached or sample sources rather than live market data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"[DEBUG] URL: {url}")
        
        # 使用 web_fetch 工具
        result = subprocess.run(
            ['python3', '-c', f'''
import subprocess
result = subprocess.run(
Confidence
95% confidence
Finding
result = subprocess.run( ['python3', '-c', f''' import subprocess result = subprocess.run( ["openclaw", "web-fetch", "{url}", "--extract-mode", "text"], capture_output=True

Direct flow: os.environ.get (credential/environment) → subprocess.run (code execution)

High
Category
Data Flow
Content
for cmd in commands_to_try:
            try:
                result = subprocess.run(
                    cmd,
                    capture_output=True,
                    text=True,
Confidence
88% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=timeout_ms // 1000,

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script is described as a stock data query/reporting utility, but its documented behavior includes writing outputs to the user's Desktop in addition to the workspace output directory. That creates an unnecessary local side effect outside the skill's expected scope, which can expose data, clutter user files, and violate least-privilege expectations when run by an agent.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The hardcoded DESKTOP_DIR enables the script to write files into a user home directory location unrelated to core data retrieval. In an agent setting, this broadens the script's side effects beyond returning data and can persist potentially sensitive outputs in an unexpected location where other local processes or users may access them.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The default execution path automatically saves multiple report files locally instead of only printing or returning data. In the context of a skill advertised primarily as a stock data source dependency, this is risky because an invoking agent or user may trigger persistent file creation without realizing it, causing data leakage and unexpected host modification.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The helper script launches an external OpenClaw subagent to satisfy a narrow stock-theme lookup, giving the code a much broader execution capability than necessary. In a skill ecosystem, this expands the trust boundary and can expose the system to prompt-injection or unsafe tool-use behaviors originating from the spawned agent or its downstream dependencies.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples include cache-deletion commands that permanently remove files, but the surrounding text does not clearly warn that data will be lost or advise users to verify the target path first. In a documentation-driven skill, users may copy-paste commands directly, so even intended maintenance commands can cause accidental deletion if misunderstood or run from the wrong directory.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
On parse failure, the code logs a raw snapshot fragment from fetched browser content. If the page contains sensitive data, tokens, account state, or unexpected injected content, that information may be exposed to logs and downstream observability systems; in an agent environment, logs are often broadly accessible and long-lived.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The standalone trigger phrases are very broad generic finance-analysis requests, so this skill may activate for ordinary market commentary queries that do not specifically ask for theme-event correlation. In an agentic environment, over-broad activation can cause unintended tool use, unnecessary browsing/news collection, and generation of reports based on live data when the user only wanted a simple answer.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal