Security audit

TVFetch

Security checks across malware telemetry and agentic risk

Overview

TVFetch is a coherent market-data skill, but it asks users to extract and persist sensitive TradingView session tokens with under-disclosed handling risks.

Install only if you are comfortable with a market-data tool that contacts TradingView and optional fallback providers, writes cache data under ~/.tvfetch, and may handle a TradingView session token. Avoid pasting browser cookies or passwords unless you understand they are sensitive credentials; prefer anonymous mode, avoid --token on shared systems, review ~/.tvfetch/.env permissions, and be careful running it in untrusted project directories because local .env files can influence authentication.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (21)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill exposes significant capabilities—network access, environment access, file reads/writes, and package installation/execution—without an explicit permissions model or tight operational boundaries. In an agent setting, this increases the chance that a routine data request results in unreviewed network calls, local state changes, or package execution beyond what a user expects.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented purpose is market-data retrieval, but the skill behavior extends into credential/token handling, browser/session token extraction guidance, fallback data sources, persistent caching, and local deployment actions. That mismatch is dangerous because users and orchestration systems may grant trust based on the benign description while the skill can access authentication material, alter local state, and interact with additional external services.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill metadata claims 'No API key required,' but this script clearly manages TradingView authentication tokens, creating a mismatch between declared behavior and actual credential handling. That discrepancy can mislead users and reviewers into granting the skill more trust than warranted, especially because auth tokens are sensitive credentials even if they are not labeled as API keys.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script provides step-by-step instructions to extract a TradingView auth token from browser cookies or WebSocket traffic, which materially facilitates credential collection from a user's authenticated session. In the context of a skill advertised as requiring no API key, this is especially risky because it normalizes sensitive token extraction without clearly warning about security, account, or terms-of-service implications.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This script propagates the skill into multiple agent-specific directories under the user's home directory, enabling broad installation across different assistant ecosystems. That behavior is not required for the stated purpose of fetching TradingView market data and increases the blast radius of any malicious or unsafe skill contents by making persistence and cross-agent deployment easy.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: When TradingView retrieval fails, the function silently switches to Yahoo Finance or CCXT and returns that data as a normal result. This creates a trust-boundary and provenance issue: callers expecting TradingView-only data may unknowingly consume different market data with different semantics, which can corrupt analysis, backtests, or compliance-sensitive workflows without any explicit user consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly instructs users to extract a TradingView auth token from browser cookies and store it for reuse, but does not clearly warn that this token is a sensitive credential equivalent to session authentication. This increases the risk of credential theft, accidental disclosure via shell history, dotfiles, logs, backups, or shared environments, especially because the skill is designed for agent-assisted use and persistence is encouraged.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The auto-activation triggers are very broad and overlap with common financial queries, increasing the likelihood the skill runs in contexts where the user did not intend tool execution. In an agent environment, overbroad activation can lead to unexpected network access, local installs, cache writes, or symbol resolution actions from ordinary conversational prompts.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill metadata advertises extremely broad auto-activation criteria, including generic phrases like "get data for," "download prices," performance questions, and effectively any trading symbol. Combined with allow_implicit_invocation: true, this can cause the skill to trigger in many unrelated contexts, creating tool-selection hijacking risk where the agent invokes this skill when the user did not clearly request it. The issue is made more dangerous by the financial/trading context because many ordinary conversations mention tickers, prices, or market terms, increasing accidental activation frequency.

Natural-Language Policy Violations

Medium

Confidence: 97% confidence
Finding: The manifest explicitly instructs users to retrieve a TradingView auth token by reading the browser's auth_token cookie from DevTools. Encouraging direct extraction and reuse of session or authentication material from browser cookies bypasses normal OAuth/API-key flows, can violate least-privilege expectations, and increases the chance users expose a powerful credential to the skill or other tooling without clear authorization boundaries.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code writes the auth token in plaintext to ~/.tvfetch/.env and prints a token preview, but gives no explicit warning about storing a bearer credential on disk. Plaintext local storage increases the risk of credential theft through local compromise, backups, accidental disclosure, or permissive file permissions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script accepts an authentication token via the --token command-line argument, which can expose credentials through shell history, process listings, job control tools, and system monitoring on multi-user environments. In a trading/data-fetching skill, tokens may grant access to paid market data or user-linked services, so disclosure can enable unauthorized API use and account abuse.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code reads credentials from the system keyring and `show_config()` later prints a token preview to stdout. Even partial secret disclosure can aid correlation, debugging-log leakage, or accidental exposure in CI terminals and shell history, and there is no explicit warning or redaction policy beyond truncation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation instructs users to extract a browser cookie-derived auth token and paste it into the tool without clearly treating it as a sensitive credential. That normalizes unsafe secret-handling practices and could lead to account compromise, token leakage in logs/history, or unauthorized reuse if the token is copied into prompts, scripts, screenshots, or shared environments.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The function accepts raw usernames and passwords and transmits them to a remote service, but there is no strong user-facing warning that credentials are sensitive or guidance on secure handling. In an agent-skill context, this can normalize password collection and increase the risk of users entering credentials into an environment they may not fully trust.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The docstring instructs users to extract an auth token from browser cookies or WebSocket traffic without clearly warning that the token is effectively a bearer credential. If copied into the wrong place, logged, or shared with the skill, it could allow account access equivalent to the user's TradingView session.

Ssd 3

Medium

Confidence: 97% confidence
Finding: Telling users to retrieve and reuse an auth token from browser cookies encourages manual exfiltration of session credentials from a trusted browser context into other contexts. In a skill ecosystem, this is more dangerous because users may paste secrets into agent prompts, notebooks, shared terminals, or logs, increasing the chance of credential theft and unintended account access.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: Handle each error class with specific actions: ### TvSymbolNotFoundError (exit code 2) 1. Automatically run: `python ${CLAUDE_SKILL_DIR}/scripts/lib/search.py "ORIGINAL_QUERY" --limit 5` 2. Show results and ask user which to use 3. If no results: suggest checking the TradingView website directly
Confidence: 81% confidence
Finding: Automatically run

Credential Access

High

Category: Privilege Escalation
Content: def cmd_set(token: str) -> int: """Save token to ~/.tvfetch/.env""" # Validate first valid, reason = validate_token(token) if not valid:
Confidence: 90% confidence
Finding: .env"

Credential Access

High

Category: Privilege Escalation
Content: except (ImportError, Exception): pass # 5. .env in current working directory cwd_env = _load_env_file(Path.cwd() / ".env") if cwd_env.get("TV_AUTH_TOKEN"): return cwd_env["TV_AUTH_TOKEN"], "cwd_env"
Confidence: 81% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: pass # 5. .env in current working directory cwd_env = _load_env_file(Path.cwd() / ".env") if cwd_env.get("TV_AUTH_TOKEN"): return cwd_env["TV_AUTH_TOKEN"], "cwd_env"
Confidence: 84% confidence
Finding: .env"

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal