NeoAlpha

Security checks across malware telemetry and agentic risk

Overview

NeoAlpha is a disclosed investing research and monitoring skill, but it installs persistent background jobs with command execution, file writes, notifications, and cron-editing authority.

Install only if you want recurring market-monitoring automation. Review the 8 cron jobs, delivery channel, Feishu/Lark config, and files under memory/strategies before enabling; prefer --channel none first, back up workbooks before finalization, and keep portfolio/thesis files out of shared workspaces. VirusTotal was clean and I found no artifact-backed exfiltration, destructive behavior, or hidden trading execution.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (26)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def run(cmd: list[str], timeout: int) -> subprocess.CompletedProcess[str]: return subprocess.run( cmd, cwd=str(ROOT), text=True,
Confidence: 90% confidence
Finding: return subprocess.run( cmd, cwd=str(ROOT), text=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, timeout=timeout, )

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises no declared permissions, yet its documented behavior clearly relies on environment access, reading and writing local files, and invoking shell commands. This creates a trust and review gap: operators may approve or run the skill under the assumption that it is low-privilege, while it can modify portfolio ledgers, thesis files, and execute local commands. In a finance-oriented skill handling sensitive research and portfolio data, undeclared capabilities materially increase the risk of unintended data exposure or harmful local actions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 84% confidence
Finding: The skill description focuses on research and monitoring, but the detected behavior includes cron registration/management and outbound notification delivery to Feishu/Lark or other channels. That mismatch is dangerous because users may not expect the skill to create persistence-like scheduled tasks or transmit potentially sensitive market research, prompts, or portfolio-derived content off-host. In this context, hidden automation and messaging expand both the attack surface and the chance of unauthorized data exfiltration or noisy autonomous actions.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The documentation states that all 8 Minervini trend-template conditions are mandatory, including relative strength (RS), but the implementation only checks 7 conditions and still reports `all_passed` when those 7 succeed. In a trading-research skill, this creates a logic integrity flaw: users may treat a stock as fully qualified when a key momentum filter was never evaluated, leading to systematically weaker selections and unsafe decision automation.

Intent-Code Divergence

Low

Confidence: 81% confidence
Finding: The `detect_vcp` function advertises detection from price and volume data, but it ignores `highs`, `lows`, and `volumes`, using only closes for a simplified pattern check. In this skill context, that mismatch can mislead downstream users or agents into trusting a VCP signal that does not actually validate contraction depth, volume dry-up, or intraday structure, reducing signal quality and potentially causing bad entries.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script accepts an arbitrary trailing command, executes it, and forwards its stdout to a messaging channel or stdout delivery path. In a stock-research skill, this is broader than necessary and can be abused as a general execution-and-exfiltration primitive, especially if cron configuration or calling context can be influenced by another component or user.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The script installs persistent scheduled jobs that cause an agent to execute prompts and local scripts with read/write/exec/process capabilities. In an agentic environment, that meaningfully expands the attack surface beyond passive stock research because any compromised prompt file or script in the referenced paths would be executed automatically on a recurring basis.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Several scheduled jobs grant exec and process permissions, enabling unattended command execution on a timer. Given the skill's stated purpose of stock research and monitoring, this is only safe if the executed code paths are tightly controlled; otherwise any tampering of the target scripts or prompt files can become persistent automated execution.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The session-reset jobs include the cron capability, allowing a scheduled agent task to modify scheduling itself. That creates a persistence and self-modification pathway: if the referenced markdown instructions are malicious or become compromised, the job can install, alter, or re-arm additional automated tasks without operator approval.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly requires writing to `memory/strategies/hk-daily.md` but does not surface any user-facing notice or consent boundary around modifying local files. In an agent setting, silent file writes can overwrite prior strategy state, create persistence the user did not request, or be chained with other instructions to alter downstream decision-making artifacts.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger phrases are broad and context-poor, including generic terms like "catalyst," "upcoming events," and patterns such as "[公司] upcoming." In an agent skill, this can cause accidental or overbroad invocation on unrelated user requests, leading the system to pull market research workflows into contexts where the user did not clearly request them, which increases the risk of unintended actions, noisy outputs, and misuse of external data sources.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger list contains very broad phrases such as 'competitive landscape', '对标公司', and '谁是竞争对手' without scoping rules, which can cause the skill to activate on ordinary conversation or adjacent requests. In an investment-research agent, over-broad activation is risky because it may steer unrelated prompts into analysis workflows, increasing the chance of unintended tool use, irrelevant financial outputs, or context hijacking by nearby content.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list includes broad natural-language phrases such as "screening," "stock ideas," and "pitch me something," which can cause the skill to activate outside the author's intended scope. In an investment-research skill, unintended invocation can lead to inappropriate use of market-data, portfolio, or thesis-tracking workflows in unrelated conversations, increasing the risk of misleading financial output or accidental disclosure of sensitive context.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger list is broad enough to match ordinary research requests such as 'deep research [company]' or 'new thesis', which can cause the skill to activate unexpectedly outside a narrowly scoped workflow. In a financial-research skill, ambiguous activation is risky because it may launch multi-step analysis, create artifacts, or influence investment-related outputs when the user did not explicitly request this gated process.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The file instructs the agent to write long-term tracking results to a persistent local directory, but it does not require explicit user consent or a warning that files may be created or modified. This is dangerous because unexpected persistence can expose sensitive research history, overwrite existing files, or leave durable artifacts on the host system without the user's awareness.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger list includes broad natural-language phrases such as “新数据进来” and “刷新估值,” which are common in ordinary financial discussion and can cause unintended invocation of this skill. In an agent that can update research models and valuations, accidental activation can lead to unauthorized or erroneous workflow execution, stale data being overwritten, or confusing outputs being injected into unrelated conversations.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This document provides concrete trading actions, thresholds, and position-sizing guidance such as when to add, reduce, or fully exit positions. In the context of an agent skill for stock research, this can directly drive financial decisions without any warning, suitability check, or disclaimer, increasing the risk that users treat the output as actionable investment advice and suffer losses.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The file instructs appending operation records to thesis files, which implies modifying user-maintained artifacts without an explicit warning or consent flow. Even though the content is just markdown logging, silent or assumed file modification can overwrite, pollute, or create misleading records in a user's investment research workflow.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list includes very broad natural-language phrases such as "one-pager", "公司速览", and "company snapshot," which can cause the skill to activate in contexts where the user did not clearly intend this specific workflow. In an agent environment, overbroad activation increases the chance of accidental invocation, context hijacking, or routing the user into an investment-research flow without sufficient confirmation.

Natural-Language Policy Violations

Medium

Confidence: 81% confidence
Finding: The document is written entirely in Chinese and presents a fixed Chinese-language template without indicating that the user may choose another language. This can override user preference or system defaults, creating usability and instruction-following issues; in a financial research workflow, that may also increase misunderstanding or misinterpretation of data and caveats.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script directly modifies the supplied workbook in place by calling `officecli set` on the user-provided file, and there is no confirmation, backup, or separate output path. In a research workflow this can silently alter source financial models or corrupt authoritative spreadsheets if run on the wrong file, creating integrity and recoverability risk rather than code-execution risk.

Natural-Language Policy Violations

Medium

Confidence: 97% confidence
Finding: The skill is written entirely in Chinese without any language selection, fallback, or opt-in, which can cause users or downstream agents to misunderstand trading instructions and risk controls. In a financial workflow, misunderstanding exit or stop-loss criteria can directly lead to incorrect portfolio actions, delayed exits, or failure to apply intended safeguards.

Session Persistence

Medium

Category: Rogue Agent
Content: > export SKILL_SRC="skills/neoalpha" > > # 2. Copy the skill to the standard OpenClaw workspace skills directory > mkdir -p ~/.openclaw/workspace/skills > cp -R "$SKILL_SRC" ~/.openclaw/workspace/skills/neoalpha 2>/dev/null || true > > # 3. Create portfolio and strategy runtime directories
Confidence: 87% confidence
Finding: mkdir -p ~/.openclaw/workspace/skills > cp -R "$SKILL_SRC" ~/.openclaw

Session Persistence

Medium

Category: Rogue Agent
Content: > mkdir -p ~/.openclaw/workspace/skills > cp -R "$SKILL_SRC" ~/.openclaw/workspace/skills/neoalpha 2>/dev/null || true > > # 3. Create portfolio and strategy runtime directories > mkdir -p ~/.openclaw/workspace/memory/strategies/portfolio > > # 4. Copy prompt templates from the standardized destination
Confidence: 84% confidence
Finding: Create portfolio and strategy runtime directories > mkdir -p ~/.openclaw/workspace/memory/strategies/portfolio > > # 4. Copy prompt templates from the standardized destination > cp ~/.openclaw/worksp

Session Persistence

Medium

Category: Rogue Agent
Content: cp -R neoalpha ~/.openclaw/workspace/skills/ ``` ### 2. Create runtime directories The skill writes daily strategies and live state to `memory/strategies/`:
Confidence: 82% confidence
Finding: Create runtime directories The skill writes daily strategies and live state to `memory/strategies/`: ```bash mkdir -p ~/.openclaw

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal