ClawHub

China iFinD Skill(同花顺Skill)

Security checks across malware telemetry and agentic risk

Overview

This iFinD skill is mostly a coherent financial-data API wrapper, but it asks for durable credential handling and exposes portfolio-changing financial actions without clear safeguards.

Review before installing. Configure IFIND_REFRESH_TOKEN through a secure local secret or environment mechanism rather than pasting it into chat, protect or delete any .env and .data token files when finished, and restrict use to read-only endpoints unless you explicitly intend to modify iFinD portfolio records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation indicates it uses environment variables, local file read/write, and outbound network access, but the manifest does not explicitly declare permissions for those capabilities. This weakens security review and least-privilege enforcement because operators and platforms cannot accurately understand or constrain what the skill needs. In this context, the skill handles authentication tokens and writes logs/cache files, so undeclared capabilities are more concerning than in a purely local read-only skill.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation instructs the agent to persist a user-provided refresh token into a local .env file. Storing credentials on disk expands exposure risk, and the skill description is for financial data queries, so modifying local credential stores is broader than minimally necessary and lacks safeguards or consent language.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The reference includes portfolio creation, cash operations, trade execution, and related state-changing functions, which materially exceed a stated read-only financial data query skill. This creates capability overreach: an agent intended for data retrieval could be induced to perform account-affecting actions with financial consequences.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The skill instructs the user to send their refresh token directly to the assistant, which is a credential-handling anti-pattern. Secrets pasted into chat can be retained in conversation history, exposed to logs, or mishandled by downstream systems, creating a direct risk of account compromise and unauthorized API usage. Because this token grants access to a financial data service, the surrounding context makes the issue more sensitive, not less.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions tell the agent to save a refresh token provided by the user without any warning about sensitivity, retention, or local exposure. Refresh tokens typically grant durable API access, so mishandling them can enable unauthorized access to financial data or linked services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The portfolio-management examples document state-changing operations such as creating portfolios, importing records, cash transfers, and trades without clear warnings that these actions may modify user account or portfolio data. In a financial context, silent or insufficiently signposted write actions can cause real monetary, compliance, or audit issues.

VirusTotal

42/42 vendors flagged this skill as clean.

View on VirusTotal