ClawHub
Back to skill

Security audit

Nepse Analyst

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent NEPSE stock analysis skill with optional Telegram alerts, but users should handle Telegram credentials and watchlist privacy carefully.

Install only if you are comfortable with a Python skill that installs dependencies, scrapes NEPSE market sites, stores watchlists/alerts locally, and can send stock symbols, prices, and alert thresholds to Telegram when configured. Do not paste real Telegram credentials into a setup flow that may be logged; prefer a dedicated bot/chat and OpenClaw-scoped secret configuration, and avoid storing tokens in ~/.bashrc.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Tainted flow: 'url' from os.environ.get (line 58, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
return False
    try:
        url = f"https://api.telegram.org/bot{TELEGRAM_BOT_TOKEN}/sendMessage"
        resp = requests.post(url, json={
            "chat_id": TELEGRAM_CHAT_ID,
            "text": message,
            "parse_mode": "Markdown"
Confidence
93% confidence
Finding
resp = requests.post(url, json={ "chat_id": TELEGRAM_CHAT_ID, "text": message, "parse_mode": "Markdown" }, timeout=10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions while instructing the agent to execute Python, access the network, and read/write persistent local state. This creates a transparency and consent gap: a user or platform may invoke the skill believing it is analysis-only, while it can perform privileged actions such as package installation, filesystem writes, and outbound requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose presents a market-analysis skill, but the behavior includes outbound Telegram notifications, scheduled monitoring, persistent storage, and additional live-monitoring behavior beyond simple analysis. Description-behavior mismatch is dangerous because it hides data flows and automated actions that may expose user information, consume resources, or surprise users with ongoing monitoring and messaging.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill reads Telegram bot credentials from environment variables, introducing access to unrelated external messaging infrastructure. In the context of a NEPSE analyst skill, this expands privilege beyond stock analysis and creates a covert-capable notification/exfiltration path if the skill is triggered autonomously or without clear user understanding.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This function sends outbound Telegram messages containing skill-generated content, adding an external communications capability not disclosed by the manifest. Even though the transmitted data is stock-related, the presence of arbitrary outbound messaging materially increases risk because it can leak user watchlists, trading interests, and activity patterns.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The script description includes alert management and Telegram notifications, which is broader than a simple analyst role described in the manifest. This mismatch matters because users and orchestration systems may grant the skill trust appropriate for analysis, not for persistence, scheduling, and external messaging.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The cron-check routine performs autonomous monitoring of stored watchlists and alerts and sends summaries/alerts to Telegram. In skill context, this is more dangerous than normal scraping because it enables unattended recurring external transmission and persistence of user interest data without a per-use interaction.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The script includes an outbound notification channel to Telegram, which sends watchlist-derived trading alerts to a third-party service. In a stock-analysis skill this feature can be functionally relevant, but it still introduces a data egress path and surprise external communication risk if users are unaware it is enabled.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The setup script expands the skill from a stock-analysis helper into a Telegram-enabled alerting workflow by collecting bot credentials and instructing the user to wire them into OpenClaw. That broader capability is not clearly justified by the stated analyst/query role, which increases the attack surface and could enable unreviewed outbound messaging if the skill or its companion script is abused.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script asks for Telegram Bot Token and Chat ID even though the visible skill description centers on market analysis, screening, and portfolio/watchlist functions. Collecting external messaging credentials without clear necessity or prior disclosure is risky because it normalizes sharing secrets with a setup script and could facilitate unauthorized notifications or data exfiltration via Telegram.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger scope includes broad phrases like general investing questions, market summaries, and symbol-based activation, which can cause the skill to run in contexts the user did not intend. Over-broad invocation increases the chance that the agent executes networked scripts or writes state unexpectedly, especially when the skill has undeclared powerful capabilities.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to configure automatic alerts that send Telegram messages, but the skill description does not prominently warn that notifications are delivered through an external service. Missing disclosure is risky because users may unknowingly enable third-party data sharing and background alerting without understanding the privacy and operational implications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Telegram notifications send stock/watchlist-related information externally without any in-code indication of user-facing notice or consent. This creates a privacy issue because portfolio interests and alert thresholds can reveal financial behavior and intentions.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The code persists watchlist and alert data to local JSON files without explicit disclosure. This is a lower-severity privacy issue, but in a financial-analysis context it still matters because stored symbols and thresholds may reveal user investment interests.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The code transmits alert content to Telegram without any explicit user-facing disclosure in the CLI output or comments near the execution path. Even if the content is not highly sensitive, undisclosed external transmission can violate user expectations and organizational policies, especially in agent skills that may run unattended.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script reads the Telegram bot token and then prints it back to the terminal inside example configuration and shell export commands. This exposes the secret in plaintext to shoulder-surfing, terminal logs, scrollback buffers, shell history copied by the user, and recording software, turning a setup convenience into direct credential leakage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal