ClawHub

Qiaofuture Boston Stock King

Security checks across malware telemetry and agentic risk

Overview

This stock-picking skill mixes investment reports with ads, payment prompts, phone/photo/milk-tea flows, and persistent personal-data storage that are not safely scoped or consistently disclosed.

Review carefully before installing. Do not provide real phone numbers, delivery addresses, or personal photos unless you accept that the skill stores them locally, and do not assume its milk-tea, phone-call, reward, or VIP investment-service claims are actually fulfilled. Treat stock outputs as informational only and avoid sending money through embedded QR/payment prompts based on the skill's recommendations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (31)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The primary trigger for a stock-report skill is documented as showing a marketplace advertisement image instead of performing the promised analysis. This is a deceptive interaction pattern that can redirect user intent toward promotion or deployment actions, undermining informed use and potentially facilitating phishing-like upsell behavior.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The quick-start tells users that the trigger generates a stock report, while later trigger handling says it displays an advertisement. Inconsistent documentation around core behavior is risky because it defeats informed consent and can be used to steer users into unrelated content or workflows they did not request.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest presents a finance/stock-picking skill but also advertises unrelated caregiving, telephony, and comfort features such as phone calls and emotional support. This broadens the skill’s functional scope beyond user expectations, increasing the chance of deceptive activation, social engineering, or collection of sensitive personal data under a finance-themed brand.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Optional telephony and TTS dependencies are not justified by the stated purpose of stock selection and trading history. In a finance context, adding outbound communication features creates a pathway for spam, phishing-style outreach, impersonation, or unauthorized contact that users would not reasonably expect from a stock analysis skill.

Scope Creep

High
Confidence
97% confidence
Finding
The manifest claims no permissions while listing dependencies such as requests, efinance, and optional phone/TTS integrations that inherently imply network access and possible external communications. This mismatch undermines transparency and can conceal data flows, making it harder for users or reviewers to assess what the skill can access or transmit.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code presents milk-tea delivery as completed and phone calls as actionable service behavior, but it only stores user contact details and returns fabricated confirmation text. This is deceptive functionality that can mislead users into sharing sensitive personal data under false pretenses, which is especially risky because the skill solicits real addresses and phone numbers.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill persists full delivery addresses and phone numbers to disk for a game-like comfort feature, which exceeds what is necessary for the stated functionality. Unnecessary retention of personal data increases privacy risk, especially if the host environment is shared, compromised, or logs/backups are exposed.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The implementation explicitly simulates an order, yet the returned message states the order is generated, priced, and expected to arrive within 30–60 minutes. This misleading presentation can trick users into believing a real purchase or delivery process occurred, encouraging further disclosure of sensitive information.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The code claims that a phone call has been arranged by an AI voice system, but it merely records the phone number and prints a script. This is deceptive service representation and may induce users to disclose or reuse phone numbers under the false impression that a legitimate calling workflow exists.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The photo feature is not limited to composing images; it also solicits monetary contributions and frames payment as part of the interaction flow. That creates scope creep from a benign media feature into monetization and behavioral pressure, which is risky because users invoking a photo trigger may not expect fundraising or service-gating behavior.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code claims incense/payment is optional and not enforced, but later logic explicitly gives better treatment and access based on payment amount while implying reduced service otherwise. This is deceptive design: users are told payment is optional, yet the implementation pressures payment through unequal service promises.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This function uses donation amount to unlock VIP stock-picking, real-time alerts, and private contact privileges, which are unrelated to the photo system in this file and introduce quasi-financial-service upselling. In the context of a stock-picking skill, tying money to preferential investment-related treatment can mislead users, create unfair inducement, and expand the system into higher-risk financial behavior.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file stores per-user profiles and recommendation history in local JSON files even though the visible core function is stock analysis/report generation. This creates unnecessary collection and retention of user-linked behavioral data without any access control, minimization, consent, or deletion handling, which increases privacy and data leakage risk if the host environment is shared or compromised.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The stock-analysis workflow embeds targeted donation solicitation unrelated to the core analytical function, creating a social-engineering and trust-abuse risk. In an agent skill context, mixing financial recommendations with payment prompts can pressure users into transferring money based on perceived authority or personalization.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill includes standalone promotional content for Tencent Cloud/OpenClaw and related products that is not necessary to fulfill the stated stock-picking and companion features. This expands the skill's behavior beyond user expectations and can be used to steer users into off-platform marketing flows, increasing phishing, social-engineering, or undisclosed advertising risk.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code advertises physical rewards and implies private-message logistics/fulfillment without any demonstrated consent, fulfillment system, or privacy handling. This can mislead users into believing the skill collects or will use personal contact details, creating privacy and deception concerns.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The report embeds prominent payment QR codes and donation solicitation despite framing the donation prompt as subtle. In a skill that also gives stock recommendations and emotional comfort messaging, this can exert manipulative pressure on users and blur the line between service output and fundraising.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The installation confirmation flow trusts an unverified natural-language user reply and flips local capability flags as if phone or voice features were installed. This can desynchronize the recorded state from reality, causing downstream components to assume sensitive capabilities are available and potentially trigger unsafe behavior, failed calls, or abuse of privileged integrations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The branding explicitly promotes phone-based outreach as a product feature, but provides no indication of how phone numbers are collected, whether users must opt in, or how call-related personal data is handled. In a consumer-facing investment-related skill, this omission increases privacy and consent risk because vulnerable users may be encouraged to share sensitive contact information during emotional or financial distress.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The usage example offers to call users immediately after they report losses, targeting a potentially emotionally vulnerable state without any warning about consent, privacy, or handling of phone/contact data. In this context, the feature is more dangerous because the skill is framed as a supportive stock-picking companion, which may pressure distressed users into disclosing personal information or accepting outreach they did not meaningfully consent to.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill promotes phone-calling behavior without clear privacy notice, consent flow, or explanation of real-world contact implications. Even though calling is framed as an optional extension, users may be encouraged to install and use telephony features without understanding what personal data, phone numbers, or call records could be processed.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Several trigger phrases are broad or ambiguous for a finance skill, including phrases related to phone installation, comfort, and hospitality. Overbroad triggers increase the likelihood of unintended activation, especially when tied to sensitive finance or communication workflows, and may let the skill engage users outside the narrow context they intended.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The tutorial states the skill can be triggered in any OpenClaw-supported context, which makes activation boundaries unclear and increases the chance of unintended invocation in unrelated conversations. In a finance-themed skill that gives stock picks and emotional support, accidental triggering can expose users to unsolicited financial content and cause the agent to act outside the user's immediate intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown says the system automatically records recommendations, tracks performance, and learns user preferences, but it does not clearly disclose retention duration, what data is stored, whether profiling occurs, or how users can opt out. In an investment-assistant context, this creates meaningful privacy risk because behavioral and sentiment signals about a user's holdings, preferences, and financial concerns may be persistently profiled without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Sensitive personal data, including full address and phone number, is written to disk without any visible disclosure, consent, retention policy, or protection mechanism. Users may reasonably believe they are only interacting with a playful feature, not authorizing ongoing storage of personally identifiable information.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal