ClawHub

Current Akshare List

Security checks across malware telemetry and agentic risk

Overview

The skill’s stock-data fetching is coherent, but it includes under-scoped persistent retry instructions that could create scheduled background agent work.

Review before installing. The included script itself fetches public stock data and writes local files, but do not let the skill create cron jobs or scheduled agent turns unless it first shows the exact task, duration, output path, logs, and removal command. Use VPN advice only if it is allowed by your organization or network policy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs automatic cron-based retry creation even though scheduler modification is not core to producing a stock list and no concrete safeguards are provided. Unreviewed persistence mechanisms can create unauthorized background execution, repeated network activity, and hard-to-notice system changes, especially if later generalized or copied into automation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Telling users to enable a VPN to bypass interface blocking encourages circumvention of network restrictions without discussing trust, data-routing, compliance, or privacy implications. In this context the danger is not code execution, but steering users toward risky network reconfiguration that may expose traffic or violate organizational policy.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill proposes automatically creating a cron task without a clear warning that it will modify the system scheduler and persist beyond the current run. Persistent task installation changes system state, can surprise users, and may lead to repeated external requests or lingering jobs if cleanup fails.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal