ClawHub

Eastmoney Api

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it advertises a small market-data role while its referenced instructions cover a much broader finance application with auth, admin, LLM, portfolio, scheduling, and server behavior.

Install only after reviewing the full capability catalog, not just the Eastmoney API label. Use a virtual environment, do not provide broker credentials or paid API keys unless you intend those workflows, and require explicit approval before starting servers, generating trading code, saving new skills, running scheduled jobs, or connecting anything to live financial accounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (17)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The manifest positions this as a market-data skill, but the documented pipeline and use cases materially expand scope into factor computation, stock selection, trading execution, server startup, and web hosting. That capability drift increases the chance an agent will invoke the skill for actions far beyond passive data retrieval, including potentially sensitive or irreversible trading-related operations.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Claiming support for pre/post-market analysis and application hosting extends the operational scope beyond the declared purpose of obtaining A-share market data. In an agent ecosystem, this can mislead routing and authorization logic, causing the skill to be selected for execution contexts that involve code execution, service exposure, or decision support rather than simple data access.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Static file serving and SPA routing are unrelated to the stated market-data function and introduce unnecessary application-surface area. Even though the markdown itself is not executable, documenting and exposing web-serving capability in a data skill encourages deployment of extra network-facing components, which increases the risk of misuse, unintended exposure, and broader attack surface.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The human summary materially expands the skill from an A-share eastmoney market-data API into a broad quant-strategy, code-generation, and backtesting assistant. That scope mismatch can cause the agent orchestrator or users to invoke the skill for capabilities it was not intended or approved to perform, increasing the chance of unsafe code generation, incorrect tool use, or policy bypass through confused-deputy behavior.

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
The summary claims support for HK, crypto, and partial US stocks even though the skill metadata centers on A-share eastmoney API functionality. Even if not directly exploitable as code execution, this misrepresentation can misroute requests, trigger unsupported workflows, and cause data integrity or compliance issues when the agent relies on advertised coverage that the skill may not safely provide.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The documented component map shows capabilities far beyond the declared purpose of an Eastmoney market-data skill, including portfolio management, recommendation, scheduled tasks, reporting, and LLM services. This kind of scope mismatch is dangerous because it can conceal undeclared data processing or autonomous behaviors, weakening user trust boundaries and making security review, permissioning, and least-privilege enforcement much harder.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The declared skill metadata says this is an A-share market data retrieval skill with fallback/rate limiting, but the seed actually defines a much broader application surface including auth, admin, LLM, portfolios, and reporting. This scope mismatch is dangerous because it can cause the host or reviewer to grant trust, permissions, or invocation opportunities far beyond what users expect, enabling unintended exposure of unrelated high-risk capabilities.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as A-share data sourcing, yet the seed includes US market data, commodities analysis, and mixed-domain workflows. This weakens boundary assumptions and increases the chance that a host routes unrelated requests into this skill or exposes data paths and tooling that were not approved under the stated scope.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
User authentication and JWT issuance are materially more sensitive than passive market-data retrieval and are not justified by the stated purpose. Hidden or under-disclosed auth functionality increases the attack surface for credential abuse, token forgery/misconfiguration, and privilege escalation under a misleadingly low-risk skill label.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Embedding an LLM assistant with tool execution inside a skill advertised as market-data access materially changes the risk profile. Tool-calling components can widen data access, trigger unintended actions, and create prompt-injection and confused-deputy paths if the host assumes this skill is only a bounded data fetcher.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Admin and system-test endpoints are unrelated to an end-user market-data skill and can expose privileged diagnostics or control surfaces. Even if intended for maintenance, bundling them into a broadly invocable skill increases the chance of accidental exposure or misuse in lower-trust contexts.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger terms 'start, server, run' are extremely broad and likely to match unrelated user requests. In an agent environment, ambiguous triggers can cause unintended invocation of this skill, which is especially risky here because the skill advertises execution, hosting, and trading-adjacent functionality beyond simple data lookup.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The FastAPI use-case triggers 'application, fastapi, server' are ambiguous infrastructure terms that can match many benign developer conversations. This can lead an orchestrator to invoke the wrong skill or expose capabilities the user did not request, especially when combined with the skill's broadened scope into hosting and execution.

Vague Triggers

High
Confidence
96% confidence
Finding
The execute-trigger rule activates on broad intent matches plus common action verbs like run, execute, 跑, 执行, backtest, fetch, and collect. This is insufficiently constrained for a skill that references data collection, analysis, selection, and trading execution, creating a credible risk of accidental invocation and unintended downstream actions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Phrases like 'Just tell me what you want; I'll write the code' are overly broad and encourage invocation for loosely related tasks beyond market-data retrieval. In an agent environment, broad activation language increases the risk that the skill is selected in inappropriate contexts, leading to overreach into code generation or strategy advice that may be unreviewed, unsupported, or unsafe.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Broad trigger terms increase the likelihood that the skill activates on loosely related user requests. In a skill with mixed capabilities and privileged operations, accidental activation can route users into the wrong execution path, exposing data or actions they did not intend to invoke.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Using a generic trigger like 'help' is unsafe because it matches ordinary conversation and can spuriously activate the skill. Given this seed includes assistant, admin, reporting, and data features, vague activation materially raises the risk of confused routing and unintended capability exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal