ClawHub

Futu-Stock

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Futu market and brokerage-account connector, but it should be treated as sensitive because it can access account data and can optionally enable trading-related capabilities.

Install only if you trust the Futu MCP server package and want an agent to query your Futu OpenD session. Keep FUTU_ENABLE_TRADING=0 unless you deliberately accept trading risk, prefer SIMULATE unless live-account access is required, leave OPEND_PATH unset if you do not want automatic OpenD startup, and use an isolated or pinned Python environment for dependency installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        import time
        subprocess.Popen(
            [str(exe)],
            cwd=str(Path(opend_path)),
            stdout=subprocess.DEVNULL,
Confidence
85% confidence
Finding
subprocess.Popen( [str(exe)], cwd=str(Path(opend_path)), stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, start_new_session=Tru

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# mcp package
    if not HAS_MCP:
        try:
            subprocess.run([sys.executable, "-m", "pip", "install", "mcp"], check=True, capture_output=True)
            installed.append("mcp")
        except subprocess.CalledProcessError as e:
            print(f"Failed to install mcp: {e}", file=sys.stderr)
Confidence
95% confidence
Finding
subprocess.run([sys.executable, "-m", "pip", "install", "mcp"], check=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
ok = False
        if shutil.which("pipx"):
            try:
                subprocess.run(["pipx", "install", "futu-stock-mcp-server"], check=True, capture_output=True)
                installed.append("futu-stock-mcp-server")
                ok = True
            except subprocess.CalledProcessError as e:
Confidence
94% confidence
Finding
subprocess.run(["pipx", "install", "futu-stock-mcp-server"], check=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"pipx install failed: {e}", file=sys.stderr)
        if not ok and shutil.which("pip"):
            try:
                subprocess.run([sys.executable, "-m", "pip", "install", "futu-stock-mcp-server"], check=True, capture_output=True)
                installed.append("futu-stock-mcp-server")
                ok = True
            except subprocess.CalledProcessError as e:
Confidence
94% confidence
Finding
subprocess.run([sys.executable, "-m", "pip", "install", "futu-stock-mcp-server"], check=True, capture_output=True)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest presents the skill as market-data access, but the body also enables account access, positions, real/simulated trading context, and even AI-assisted order placement when flags are changed. This scope mismatch is dangerous because users may authorize a quote-reading skill without realizing it can be reconfigured into a brokerage-integrated trading workflow touching sensitive financial assets.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill includes capability to start a local OpenD process, which exceeds the narrow role stated in the manifest of accessing stock/account data through an MCP server. Scope expansion matters because users and orchestrators may grant this skill trust appropriate for data access, not for process management on the host.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code contains context-inappropriate system-management actions: installing packages and launching executables. In an agent ecosystem, such behavior increases the blast radius substantially because a seemingly read-oriented skill can modify the host and fetch additional code, enabling persistence or supply-chain compromise if abused.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documents account, funds, and position queries but does not provide a strong privacy warning about exposing sensitive brokerage data to the agent or connected MCP tooling. In a financial context, account balances and holdings are highly sensitive, and silent access increases the risk of oversharing, logging, or unintended disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal