A股股票交易助手

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill is mostly coherent, but its alert feature creates recurring QQ bot alerts to a fixed recipient with weak disclosure and user control.

Review before installing. Avoid running the alert script unless you have verified and changed the QQ recipient, understand that it creates a recurring OpenClaw cron job, and know how to remove that job. Treat the trading analysis as informational only, especially because some outputs use mock or fallback data when live sources are unavailable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises executable scripts and appears to use shell, file read, and file write capabilities without declaring permissions. Undeclared capabilities reduce transparency and can bypass user/admin expectations about what the skill is allowed to do, especially in an environment where scripts may access local files or execute system commands.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: This is a real security issue because the documented behavior omits sensitive actions: scheduling alerts through cron, sending messages to a QQ bot user, using a hardcoded recipient ID, and persisting trading data under a root-owned workspace path. Hidden outbound messaging, hardcoded identities, and local persistence materially expand the skill's trust boundary beyond stock analysis and could be abused for covert notification, data leakage, or unauthorized background activity.

Intent-Code Divergence

Low

Confidence: 82% confidence
Finding: When live retrieval fails, the script silently substitutes hardcoded mock sector fund-flow data and presents it as '参考分析', which could be mistaken for real market intelligence. In a trading-assistant skill, this can mislead downstream decisions and create integrity risk, especially because users may act on fabricated financial signals.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The script presents itself as analyzing real stock news and announcements, but actually fabricates sentiment inputs from hardcoded mock headlines. In a stock-trading skill, this is dangerous because it can mislead users into making financial decisions based on invented data while appearing authoritative.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: This script does more than stock analysis: it provisions a persistent scheduled job that sends outbound alerts. That expands the skill from passive analysis into autonomous messaging, which can be abused for unsolicited notifications or covert persistence beyond the user's immediate request.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script creates persistent scheduled messaging to a QQ channel, which is a sensitive outbound-communication capability not obviously necessary for stock analysis. In a trading-assistant context, autonomous outbound messaging increases the risk of spam, user tracking, or unauthorized notifications that continue after the original interaction ends.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code hard-codes a specific recipient ID, causing all alerts to be sent to a fixed QQ account regardless of who invoked the script. This can redirect user-derived content to an unintended third party, enabling unsolicited messaging and potential data leakage outside the requested stock-analysis workflow.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The reset command unconditionally overwrites the trading record file, causing irreversible local data loss with a single invocation. In an agent-skill context, this is more dangerous because an automated or mistaken tool call could wipe user state without confirmation, reducing integrity and availability of portfolio history.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal