ClawHub
Back to skill

Security audit

Aastock Daily

Security checks across malware telemetry and agentic risk

Overview

This A-share reporting skill matches its broad purpose, but it under-discloses credential and portfolio data handling and includes misleading hard-coded financial outputs.

Review before installing. Treat the reports as informational only, verify market data elsewhere, and be aware that your configured holdings may be sent to external APIs. Remove the embedded fallback API key, document or disable vault access, delete the unrelated /tmp parser, and replace hard-coded or simulated financial figures before relying on this skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill documentation declares no permissions, yet the described/observed capabilities include shell execution and file read/write. That creates a transparency and trust gap: users may install a finance-oriented skill expecting limited behavior while it can access local files and run commands, which could expose portfolio data or enable unintended host interactions if the implementation is broader than advertised.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The reported behavior extends beyond the stated A-share briefing purpose by reading unrelated local files in /tmp, writing parser outputs, and including generic parsing/report-generation utilities. In a finance skill that handles sensitive holdings data, undeclared local file access and unrelated processing materially increase the risk of data exposure, covert collection, or hidden functionality, especially since users would not reasonably expect those operations.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The function `get_limit_stats()` calls itself (`local stats=$(get_limit_stats 2>/dev/null)`), causing infinite recursion instead of retrieving external statistics. In a shell script this can lead to unbounded process/function invocation, failure to generate the report, and potential resource exhaustion or denial of service for the agent runtime.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script reads credentials from a user-specific vault path and, if none are present, silently falls back to a hardcoded API key embedded in the skill. Bundling usable credentials in distributed code is a secret-management flaw that can enable unauthorized third-party use, make attribution impossible, and create hidden outbound access beyond what the user explicitly configured.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The function claims to generate weekly dynamics for the user's portfolio, but it ignores the parsed user holdings and instead searches and reports on a hard-coded stock list. In a portfolio-management skill, this creates materially misleading investment output and can cause users to act on analysis unrelated to their actual assets.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The code fabricates weekly gain/loss values using fixed-seed random choices while presenting them as portfolio weekly dynamics. In a financial reporting context, synthetic performance data is deceptive and can directly misinform trading or risk decisions because users are likely to interpret the numbers as factual market data.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
This is a real integrity issue: the script presents dividend tracking as portfolio-based, but it uses hardcoded simulated holdings and a static estimate rather than the user's actual positions. In a financial assistant context, this can mislead users into making portfolio decisions based on incorrect expected dividend income, especially because the output is phrased as if it reflects their holdings.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file checks whether a portfolio exists, implying personalized analysis, but the downstream dividend estimation is not actually derived from that portfolio. In the context of a 'portfolio manager' skill, this is dangerous because it creates false trust in personalized financial monitoring and may cause users to rely on inaccurate dividend expectations or coverage assumptions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script claims to use real Eastmoney data, but several major sections are actually hardcoded or only superficially query data before printing fixed content. In a stock-reporting skill, this is dangerous because users may make trading decisions based on stale or fabricated market information presented as current analysis.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The '龙虎榜动态' function appears to fetch current data but ignores the returned items and instead emits fixed trader names, stocks, and transaction amounts. In the context of an A-share daily briefing and portfolio assistant, this can directly mislead users about institutional and hot-money flows, creating a meaningful risk of financial harm.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill centers on monitoring a user's holdings and pushing updates, but the documentation does not warn that portfolio composition is privacy-sensitive data. In this context, holdings can reveal investment strategy and financial status; absent disclosure and handling guidance, users may unknowingly expose sensitive information through logs, push channels, or external API requests.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README states that authenticated external APIs are used for news and sentiment, but it does not explain that user-related data may be transmitted off-device or how credentials are managed. In a portfolio-tracking skill, silent external transmission and undocumented secret handling increase the chance of credential leakage, misuse of API tokens, or unintended sharing of sensitive watchlist/holding information.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
A hardcoded fallback API key is present in the script and used automatically without prompting or disclosure. This exposes a credential to anyone with access to the code, encourages shared-secret reuse, and causes outbound requests to occur under an undisclosed identity that the user did not provision.

VirusTotal

42/42 vendors flagged this skill as clean.

View on VirusTotal