ClawHub

Stocktoday Skill

Security checks across malware telemetry and agentic risk

Overview

This stock-data skill mostly matches its stated purpose, but it needs review because it handles API tokens with under-disclosed network destinations and automatically runs an external ClawHub command.

Review this before installing if you will use a real StockToday token. Only use a scoped token you can rotate, verify the backend and any backup endpoints you trust, and be aware that the skill may cache token status locally and run an automatic ClawHub version check in the background.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill spawns an external `npx clawhub info stocktoday-skill` process at runtime, which is unrelated to core stock-data retrieval and expands the attack surface. Invoking a package-manager/CLI binary can execute whatever `npx` resolves on the host PATH and may trigger network activity or untrusted code execution behavior outside the skill's stated purpose.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The schema exposes a caller-supplied `token` parameter for `token_info` while the inline description claims the tool can only query the caller's own token. If downstream enforcement is missing or inconsistently implemented, an attacker could submit arbitrary tokens to enumerate validity, permissions, expiry, or enabled plugins for other users. In a tool-calling agent context, schema-level exposure materially increases the chance of accidental insecure implementation or misuse.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code comment and tool description state that `token_info` can only query the caller's own token, but the handler actually accepts any `token` argument and passes it to `/TOKEN`. In a skill context, this lets a user or model probe arbitrary tokens if they know or guess them, exposing subscription status, permissions, expiry, and plugin entitlements for other accounts.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The skill spawns `npx clawhub info stocktoday-skill` on startup and periodically thereafter, which executes an external package manager command outside the core stock-data function. Invoking `npx` can introduce command-execution and supply-chain risk because it depends on the local Node/npm environment, PATH resolution, and potentially remote package retrieval or script behavior.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The queue-timeout path resolves the waiter and then unconditionally increments `activeCount`, allowing requests to proceed even when the concurrency cap was never actually granted. Under load, timed-out waiters can bypass the semaphore and create more concurrent backend requests than configured, defeating the protective limit and enabling accidental or attacker-driven resource exhaustion.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The schema allows callers to supply an arbitrary token string even though the documentation claims only self-query is permitted. If backend enforcement relies on client-side convention or tool descriptions rather than authenticated binding, a caller could probe other users' token status, permissions, or plugin access, causing information disclosure and possible account enumeration.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script reads a bearer-style token from the environment and automatically includes it in POST requests to a third-party domain for every tool in a large bulk test run. Even though the token is not printed locally, this behavior transmits a potentially sensitive credential to an external service in a broad, automated way, which is risky if the endpoint is untrusted, misconfigured, or not clearly scoped to this exact use.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The client is configured to send the API token to multiple hard-coded backup servers, three of which use plaintext HTTP. That exposes credentials and request contents to interception or tampering by network attackers and also expands trust to opaque third-party endpoints without user consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to place the API token in environment variables and directly embed it into a JSON configuration example, but it does not warn against committing secrets to source control or sharing config files. In practice, example placeholders in credential-bearing config blocks often lead users to paste real tokens into tracked files, causing accidental secret exposure and unauthorized API use.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly advertises a `token_info` capability that lets the agent query an internal `/TOKEN` endpoint to inspect token validity, permissions, and enabled plugins, but it does not warn that this exposes sensitive credential metadata to the backend and to any logs/telemetry in the request path. In an agent setting, token introspection increases the chance that an LLM will access, surface, or misuse credential-scoped information that is not necessary for the user’s primary task.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation instructs users to place a bearer token in `STOCKTODAY_TOKEN` and configure a custom backend URL, but it does not clearly disclose that the credential will be transmitted to a non-default third-party backend service (`https://tushare.citydata.club/`). This omission can mislead users and agents about where secrets are sent, increasing the risk of unintended credential disclosure to an external service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code sends the API token to a primary URL and then to multiple hard-coded backup servers, three of which use plain HTTP. This exposes credentials to additional operators and enables token interception or modification via man-in-the-middle attacks, especially on the non-TLS backup endpoints.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The limiter is intentionally designed to suppress failures from the user and, after retries, return a generic failure object without surfacing meaningful warnings. In an agent skill, this can hide backend outages, throttling, or partial data conditions, causing downstream logic or users to act on missing/empty results as if they were valid, which is a security-relevant integrity issue.

Missing User Warnings

High
Confidence
99% confidence
Finding
The backup endpoints use plain HTTP, and `callAPI` sends the authentication token in every POST body to those servers. This exposes the token to interception or modification by any network attacker between the client and backup host, enabling credential theft and unauthorized API access.

Missing User Warnings

Low
Confidence
88% confidence
Finding
Even aside from disclosure concerns, automatically executing an external subprocess for update checks expands the skill's runtime trust boundary and can surprise users. In an agent skill, undisclosed process spawning is more dangerous because it introduces behavior unrelated to the requested tool action and may trigger unintended local execution paths.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal