ClawHub
Back to skill

Security audit

Stock Theme Events

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill matches its stated purpose, but users should understand it may run helper scripts, query external finance/news sources, write local reports and caches, and invoke an OpenClaw subagent for stock theme lookup.

Install only if you are comfortable with a finance-analysis skill that may access external market/news services, download Python/model dependencies, spawn an OpenClaw subagent for related stock-theme lookups, and create local report/cache files. Review the output path before running, and treat the included sync/publish report commands as historical documentation rather than runtime instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises filesystem and shell-capable behavior such as running Python scripts and writing reports, but it does not declare corresponding permissions. This creates a transparency and least-privilege problem: callers may invoke a skill that can modify local files or execute commands without an explicit permission boundary or user warning.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This script adds a subprocess-based dependency on the openclaw CLI and a spawned subagent to perform a simple data lookup. In a skill context, delegating to a general agent runtime increases the risk of prompt/output injection, unintended tool use, and execution of behaviors outside the narrow purpose of stock theme retrieval.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The documentation says the skill saves a generated report to a user-specified path, but it does not clearly warn that local filesystem contents will be created or overwritten. In an agent setting, ambiguous write behavior can lead to unintended file modification, path abuse, or writing sensitive data into unsafe locations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal