ClawHub

Stock Analysis 6

Security checks across malware telemetry and agentic risk

Overview

The stock-analysis features fit the stated purpose, but the optional Twitter/X scanners require sensitive session cookies and broad local access that users should review carefully.

Install only if you are comfortable avoiding or carefully managing the optional Twitter/X path. The core stock, crypto, dividend, portfolio, and watchlist features are purpose-aligned, but do not add AUTH_TOKEN/CT0 or grant Terminal Full Disk Access unless you trust the bird CLI and can protect those credentials. Prefer --no-social, keep .env out of source control and backups, and treat local portfolio/watchlist files as sensitive financial data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation presents the system as producing clear BUY/HOLD/SELL outputs and timing guidance while later disclaiming that it is not a source of trading signals. This inconsistency can mislead users and integrators about the tool’s actual function, increasing the chance that they rely on it as financial advice or deploy it in higher-risk decision workflows without appropriate controls.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
Saying 'Bots execute, we advise' and 'No Execution' is not itself unsafe, but combined with direct actionable recommendation framing it creates a misleading boundary between advice and trading signals. That ambiguity can cause downstream consumers to treat the output as safer or less regulated than it really is, which is a documentation integrity and misuse risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation expands the skill beyond passive Yahoo Finance analysis into acquiring Twitter/X access through an external CLI and reused browser-derived session tokens. That introduces credential-handling and account-access capabilities not necessary for the core stock-analysis purpose, increasing attack surface and the chance that users grant sensitive access under the guise of a market-scanning feature.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill invokes an external CLI and gives it the full process environment, which may include secrets loaded from .env or inherited from the host. In the context of a stock-analysis skill, this expands capability beyond simple network fetching and creates a plausible secret-exposure path through a third-party binary.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The script loads all values from a local .env file into the process environment, which can expose unrelated secrets to later code paths and child processes. In this file, those variables are subsequently inherited by an external CLI, expanding the blast radius of any stored credentials beyond what is necessary for stock analysis.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The plan explicitly includes Mixpanel/Amplitude and Sentry telemetry, but the surrounding security/compliance section does not mention any user-facing disclosure, consent flow, or telemetry controls. In a consumer finance app that processes portfolio holdings, alerts, and behavioral usage data, silent analytics/error reporting can create privacy and regulatory exposure because users may not understand what data is collected or shared with third parties.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to extract Twitter/X session cookies (AUTH_TOKEN and CT0) from browser DevTools and store them in a local .env file. Session cookies are highly sensitive bearer credentials; encouraging manual extraction increases the chance of account compromise, accidental leakage via shell history, logs, screenshots, backups, or source control, and may bypass safer official authentication flows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions tell users to create a .env file containing AUTH_TOKEN and CT0 credentials for Twitter/X access, but provide no guidance on secure storage, file permissions, exclusion from source control, or rotation. This increases the chance that sensitive session tokens are exposed through accidental commits, shared directories, logs, or overly broad file access by other tools.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The documentation explicitly describes persistent local storage of portfolio and watchlist data, including holdings, quantities, and cost basis, without any visible warning about retention, file location, access controls, or sensitivity of financial data. In a stock-analysis skill, this matters because users may enter sensitive personal investment information, which could be exposed to other local users, backups, logs, or synced folders if stored insecurely.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions tell users to grant Terminal Full Disk Access and manually extract/store Twitter/X auth tokens without warning that these are highly sensitive credentials. This can expose browser session data and enable account takeover or broader local privacy compromise if the environment, shell history, or .env file is accessed by other tools or users.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The usage guide documents commands that create, modify, and remove portfolio/watchlist entries without clearly warning users that these actions persist to local storage and that remove operations delete saved data. This is not code execution or a direct security exploit, but it can still cause unintended state changes or accidental data loss when users copy-paste examples assuming they are read-only demonstrations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script analyzes explicit user portfolio holdings and ticker lists by contacting multiple external services without a clear user-facing disclosure or consent step. In this skill context, portfolio symbols can reveal sensitive financial interests or strategies, so silent transmission to Yahoo Finance, Google News, SEC/EDGAR, or other providers creates a real privacy risk even if no direct exploit is needed.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Running an external CLI without clear disclosure is risky because it executes code outside the Python process and may use host credentials or network access unexpectedly. In this skill, that risk is amplified by forwarding the environment and by relying on whichever 'bird' binary resolves first.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code silently loads credentials from a .env file without limiting scope or informing the user, then leaves them in the ambient environment for subsequent operations. That increases the chance of accidental credential exposure through child processes or debugging/logging in surrounding tooling.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code copies the full current environment and passes it to an external Bird CLI process, which may include API tokens and unrelated secrets loaded earlier from .env. If the CLI is compromised, misconfigured, or logs its environment, those secrets could be disclosed or abused.

Ssd 3

Medium
Confidence
98% confidence
Finding
The document explicitly instructs users to extract live Twitter/X session tokens from browser cookies and reuse them via environment variables or a local .env file. Reusing session tokens outside the browser bypasses safer authentication boundaries and creates a durable secret that, if leaked, can grant unauthorized access to the user's Twitter/X account.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal