ClawHub

东方财富网条件选股

Security checks across malware telemetry and agentic risk

Overview

This skill appears to query EastMoney stock-selection data as advertised, while locally caching a site fingerprint and CSV results that users should understand before use.

Install only if you are comfortable with the skill launching browser automation, contacting EastMoney, and writing query results plus a cached site fingerprint under a local workspace directory. Treat the output as screening data, not investment advice, and clear the workspace cache if you do not want the fingerprint retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
81% confidence
Finding
The invocation description is broad enough to trigger on generic investment or market-analysis requests, which can cause the skill to activate outside its narrow intended use. Over-broad routing is dangerous because it increases unintended tool use, expanding exposure to the skill's code execution and any hidden capabilities such as undeclared file access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code persists a browser-derived fingerprint value (`qgqp_b_id`) to `workspace/fingerprint_cache.json` without any consent prompt, retention control, or protection of the cached value. Even if this cookie is not a classic session secret, it is still a tracking/anti-abuse identifier tied to browser activity, and storing it on disk increases the risk of unauthorized reuse, correlation, or leakage through shared workspaces, logs, backups, or other local access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal