SZFIU Market Data Bot

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real market-data and trading skill, but it needs review because it persists financial credentials, overwrites global MCP configuration, and exposes broad trading-capable remote calls.

Install only if you trust FIU and intend to let OpenClaw access market and trading services. Before setup, back up and review ~/.mcp.json, prefer a paper-trading or least-privilege token, verify token files are owner-only, and avoid the generic router for any real trade, cancel, modify, or futures action unless you explicitly intend that action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (14)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The script claims secure handling, but it writes the bearer token into ~/.mcp.json and does not set restrictive permissions on that file. On systems with permissive umask or shared access, other local users or processes may be able to read the token and use it to access the user's market/MCP services.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The router exposes a generic "toolkit" endpoint in addition to market-data/trading functions, which expands the skill's effective capability beyond its stated scope. In an agent setting, this increases attack surface and can enable unintended remote operations such as code or content search that users and downstream policy may not expect.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The invocation examples are broad natural-language phrases like 'Query Tencent Holdings quote' and 'Buy 100 shares Tencent', which can overlap with ordinary user conversation about markets. In a user-invocable trading skill, this increases the chance of accidental activation and unintended access to quote or trading workflows, especially because the skill also supports order placement.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill description uses broad natural-language activation criteria such as 'when the user wants to query stock quotes, K-line, trade stocks, check positions, or analyze market data,' which can overlap with ordinary financial discussion and cause unintended invocation. In a trading-capable skill, accidental activation is more dangerous than usual because it may expose credentials, modify configuration, or lead the agent toward high-impact financial actions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation includes a concrete order-placement example using the `trade` tool without any warning that it may execute a real market order against a live brokerage/trading backend. In an agent skill whose purpose includes trading, this materially increases the chance of accidental execution, especially if an agent or user copies examples verbatim or treats them as safe test commands.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The docs show use of a bearer token in a curl command without warning that the credential is sensitive and should not be logged, shared, committed, or exposed in transcripts. In agent contexts, users commonly paste commands into terminals, chat, CI logs, or bug reports, creating an avoidable secret-handling risk.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The document instructs users to place a JWT bearer token in the Authorization header and even shows a realistic token format, but it does not clearly label the token as a secret that must never be committed, logged, or shared. In agent and MCP ecosystems, documentation is often copied verbatim into configs, examples, telemetry, and support messages, which increases the chance of credential leakage and unauthorized API access.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation shows bearer-token usage and later recommends storing a JWT in an environment variable, but it does not warn users against exposing tokens in shell history, logs, screenshots, shared config files, or checked-in examples. Because these tokens authorize access to financial data services, accidental disclosure could let an attacker consume the API, inspect accessible data, or impersonate the user until the token expires.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script stores the supplied FIU token in plaintext under $HOME/.fiu-market/config and also injects it into $HOME/.mcp.json, creating multiple local plaintext copies of a bearer credential. Any local process, backup system, or other user with access to these files could recover the token and use the MCP services with the victim's privileges, which is especially sensitive in a trading-related assistant.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The token is stored as shell code in a file that is later sourced, which creates both credential persistence and code execution risk if that file is modified by another process or attacker. Because this is a trading/market assistant using bearer tokens, compromise of the file could expose credentials or execute arbitrary commands in the user's shell context.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script sends an authenticated POST request to an external service using a bearer token, but it provides no user-facing disclosure that market queries and credentials will be transmitted off-host. In an agent-skill context, silent network egress is security-relevant because users may assume a local status check while the script actually contacts a remote trading/data backend.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script sends a user-provided search keyword together with a bearer-authenticated request to an external service, which creates a privacy and data-handling risk if users are unaware that their input is transmitted off-host. In this skill context, remote market-data lookup is expected functionality, so this is not inherently malicious, but the lack of explicit disclosure, host allowlisting, or minimization means sensitive terms or operational metadata could be exposed to a third party.

Session Persistence

Medium

Category: Rogue Agent
Content: user-invocable: true allowed-tools: - Read - Write - Bash metadata: openclaw:
Confidence: 81% confidence
Finding: Write - Bash metadata: openclaw: requires: env: - FIU_MCP_TOKEN binaries: - curl - jq - date - bash primaryCredential: FIU_MCP_TOKEN -

Session Persistence

Medium

Category: Rogue Agent
Content: - Trading defaults to SIMULATE mode for safety - Real trading requires explicit "REAL" confirmation - Always check market status before trading - The setup command will create/overwrite ~/.mcp.json (standard MCP config file) - Backup is created automatically before overwriting - Config files are stored with restricted permissions (600) - only owner can read - This skill adds 7 FIU MCP entries to your MCP configuration
Confidence: 92% confidence
Finding: write ~/.mcp.json (standard MCP config file) - Backup is created automatically before overwriting - Config files are stored with restricted permissions (600) - only owner can read - This skill adds 7

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal