ClawHub

A股持仓监控助手

Security checks across malware telemetry and agentic risk

Overview

This stock portfolio skill is mostly aligned with its stated purpose, but its menu launcher can turn typed stock fields into shell commands on the user’s machine.

Review before installing. Avoid running scripts/run_monitor.py with copied or untrusted input unless the os.system calls are replaced with safe subprocess argument lists or direct Python calls. Be aware that your holdings and cost basis are saved locally in a hidden file, and that the included package appears to be missing a module needed for portfolio analysis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
if choice == '1':
            print("\n正在生成持仓报告...")
            os.system("python portfolio.py analyze")
        elif choice == '2':
            print("\n正在运行选股...")
            os.system("python selector.py")
Confidence
84% confidence
Finding
os.system("python portfolio.py analyze")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
os.system("python portfolio.py analyze")
        elif choice == '2':
            print("\n正在运行选股...")
            os.system("python selector.py")
        elif choice == '3':
            code = input("股票代码: ")
            cost = input("成本价: ")
Confidence
80% confidence
Finding
os.system("python selector.py")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
code = input("股票代码: ")
            cost = input("成本价: ")
            qty = input("数量: ")
            os.system(f"python portfolio.py add {code} --cost {cost} --qty {qty}")
        elif choice == '4':
            code = input("股票代码: ")
            os.system(f"python portfolio.py remove {code}")
Confidence
99% confidence
Finding
os.system(f"python portfolio.py add {code} --cost {cost} --qty {qty}")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
os.system(f"python portfolio.py add {code} --cost {cost} --qty {qty}")
        elif choice == '4':
            code = input("股票代码: ")
            os.system(f"python portfolio.py remove {code}")
        elif choice == '5':
            print("再见!")
            break
Confidence
99% confidence
Finding
os.system(f"python portfolio.py remove {code}")

Tainted flow: 'code' from input (line 35, user input) → os.system (code execution)

Critical
Category
Data Flow
Content
code = input("股票代码: ")
            cost = input("成本价: ")
            qty = input("数量: ")
            os.system(f"python portfolio.py add {code} --cost {cost} --qty {qty}")
        elif choice == '4':
            code = input("股票代码: ")
            os.system(f"python portfolio.py remove {code}")
Confidence
100% confidence
Finding
os.system(f"python portfolio.py add {code} --cost {cost} --qty {qty}")

Tainted flow: 'code' from input (line 40, user input) → os.system (code execution)

Critical
Category
Data Flow
Content
os.system(f"python portfolio.py add {code} --cost {cost} --qty {qty}")
        elif choice == '4':
            code = input("股票代码: ")
            os.system(f"python portfolio.py remove {code}")
        elif choice == '5':
            print("再见!")
            break
Confidence
100% confidence
Finding
os.system(f"python portfolio.py remove {code}")

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises and documents executable workflows that imply shell execution, local file storage, and outbound network access, but it does not declare permissions for those capabilities. This creates a transparency and governance gap: users or hosting platforms cannot accurately assess or constrain what the skill may do, increasing the chance of over-privileged execution or unexpected data access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose is portfolio monitoring, but the skill behavior reportedly extends into stock scanning and selection across a broader universe while failing to implement some promised monitoring features. This mismatch is dangerous because users may grant trust, data, or execution rights for a narrow financial monitoring use case while the skill performs materially different market-analysis actions and external data collection, undermining informed consent and increasing operational risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill executes shell commands as part of routine portfolio operations, and two of those paths include unsanitized user input. In the context of a finance assistant, shell execution is unnecessary for normal use and significantly increases risk because a user expects data processing, not command interpretation by the OS.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements a short-term stock scanner using a broad hardcoded stock pool and real-time quote ranking, which materially differs from the declared skill purpose of monitoring a user's existing holdings and generating portfolio alerts. This mismatch is dangerous because it can cause the agent to take actions or present recommendations outside user expectations, increasing the risk of unauthorized financial guidance, mistaken trades, or trust-boundary violations in a sensitive investment context.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The script persists sensitive financial portfolio data to a predictable local path under the user's home directory without prominently disclosing that behavior. In the context of an investment assistant, holdings, cost basis, and quantities are privacy-sensitive, so silent persistence can expose users to unintended local data retention and disclosure through backups, shared machines, or other local access.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The analyze command appears read-oriented but mutates and saves portfolio metadata as a side effect by filling in names and updating timestamps. Hidden write side effects are risky because users may run analysis expecting no state change, causing unexpected persistence of financial data and making the tool behave less transparently in a privacy-sensitive context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal