Back to skill

Security audit

Stocktoday Skill

Security checks across malware telemetry and agentic risk

Overview

This stock-data skill matches its stated purpose, but it should be reviewed because it handles API tokens in unsafe ways and ships documentation containing credential-like admin details.

Review this skill before installing. Use it only if you trust the StockToday backend and publisher, avoid highly privileged tokens where possible, and consider overriding or disabling plaintext backup URLs. The publisher should rotate any admin key or database credential-like values disclosed in release notes, remove HTTP fallback defaults, make update checks opt-in, and change token_info to use only the configured current token unless an explicitly secured admin mode exists.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The release notes explicitly disclose what appear to be live-sensitive values, including an admin key and infrastructure details, while simultaneously claiming there is no sensitive information leakage. Publishing secrets or privileged credentials in documentation can enable unauthorized administrative actions, abuse of backend endpoints, and broader compromise of associated systems.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document states that no hardcoded token is present in environment variables, yet elsewhere it directly includes an admin key. This contradiction indicates insecure handling of privileged secrets and creates a direct path for unauthorized access if the key is valid.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The roadmap proposes an admin-only capability to query arbitrary tokens/plugins, which expands the skill beyond normal user-scoped functionality into privileged account introspection. Without a clearly justified operational need, strict authorization boundaries, and audit controls, such a feature increases the risk of privacy violations, token enumeration, and abuse by compromised agents or misconfigured deployments.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill spawns a local subprocess (`npx clawhub info stocktoday-skill`) during startup to perform a version check that is unrelated to serving user-requested financial data. Invoking package-manager tooling from a runtime skill expands the trust boundary to the local Node/npm environment and can trigger unexpected code or network activity, which is risky in an agent/plugin context.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill stores token-derived account information under the user's home directory (`~/.stocktoday-skill/token-cache.json`) across runs. Even though it strips the plaintext token, the cached response still contains account metadata such as permissions, plugins, expiry details, and warning history, creating unnecessary persistence of sensitive account data without clear user consent or disclosure.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This schema bundle is overwhelmingly for market-data retrieval, yet it exposes an internal `token_info` tool that accepts a raw token string and reveals token status, permissions, and enabled plugins. Even if intended for self-service diagnostics, bundling credential-inspection into a general tool catalog expands the attack surface for credential probing, privilege reconnaissance, and accidental secret handling by downstream agents or logs.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill launches an external subprocess (`npx clawhub info stocktoday-skill`) on startup without any user request or clear necessity for the stock-data functionality. Even though the command string is static, this expands the trust boundary to the local Node/npm toolchain and network, enabling unexpected code execution or supply-chain exposure on the host.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The `token_info` tool description says it can only query the caller's own token, but the handler accepts any `token` argument and passes it to `/TOKEN`. In a multi-user or agent-mediated setting, this allows token introspection for arbitrary tokens if an attacker can supply or trick the agent into using another user's credential, exposing subscription status, permissions, plugin access, and possibly token-linked account metadata.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The general tool schema exposes an internal `token_info` capability that accepts a raw `token` string, effectively advertising a token-inspection endpoint to any caller that can see or invoke tools. In an agent setting, this can enable secret exfiltration, token enumeration, or privilege/introspection abuse if the backend does not strictly bind requests to the authenticated caller rather than the supplied parameter.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The description says a caller can 'only query their own' token, but the schema accepts an arbitrary `token` parameter, creating a dangerous trust mismatch between documentation and enforceable behavior. If downstream code relies on this client-side convention instead of server-side authorization, an attacker could submit other users' tokens for validation, metadata harvesting, or privilege discovery.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are extremely broad and map common, ambiguous user language directly into high-authority financial data workflows. This can cause unintended skill activation or incorrect tool routing, which is especially risky in a trading/financial context where misinterpretation of user intent can lead to misleading analysis or inappropriate data access.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill sends the authentication token in POST data to a primary endpoint and three fallback servers, two of which are plain HTTP rather than HTTPS. This exposes the credential to additional remote operators and allows interception or modification in transit on the non-TLS fallback paths, which can lead to token theft and unauthorized use of the associated account.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The design explicitly aims to make failures invisible to the user and 'backend-friendly,' which suppresses operational transparency. In an agent skill context, silently hiding repeated upstream failures can cause the model or caller to act on missing or incomplete data as if it were real, degrading integrity and making outages or abuse harder to detect.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
After exhausting retries, the function returns { ok:false, silent:true } without meaningful disclosure to the end user, while comments indicate the system is intended to hide errors. In a skill or agent pipeline, this can cause silent data loss, incorrect downstream reasoning, and failure masking that undermines reliability and auditability.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill is configured to fail over to plaintext HTTP backup endpoints while transmitting the authentication token in the POST body. This permits interception and modification by any network adversary on the path, leading to token theft, request tampering, and unauthorized API use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill performs an undocumented external subprocess and likely network access for version checking during startup, outside the core tool action requested by the user. This creates unnecessary attack surface and can surprise operators by invoking local package tooling that may execute untrusted components from the environment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code intentionally converts repeated backend failures into a silent `{ ok: false, silent: true }` result without surfacing actionable error details to the caller. In an agent skill, this can hide persistent outage, abuse, or upstream blocking conditions, causing downstream logic to treat missing data as normal and making monitoring or incident response harder.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The comment states a design goal that the user/LLM should be unaware of rate limiting and that errors should be silent, which encourages deliberate suppression of operational failures. In an agent context, hidden throttling and hidden errors can cause the model to act on incomplete data, mask backend instability, and reduce transparency needed for safe decision-making.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.potential_exfiltration

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/index.ts:125

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.js:45

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/index.ts:11

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
dist/index.js:72

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
src/index.ts:43