ClawHub

股票技术分析

Security checks across malware telemetry and agentic risk

Overview

This is a stock and fund analysis CLI that fetches public market data and stores a small local watchlist/config file, with no evidence of hidden theft, destructive behavior, or deception.

Install this only if you are comfortable running a Python CLI that contacts public finance data providers and writes a watchlist/config file under your home directory. For tighter supply-chain control, use a virtual environment and pin or lock dependency versions before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises executable Python usage plus dependencies and external data sources, which implies network access and likely local file read/write behavior, yet no permissions are explicitly declared in the skill metadata. This creates a transparency and control gap: hosts or users may grant broader execution than expected, and downstream code can access the filesystem or remote endpoints without clear upfront disclosure.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 核心依赖(必需)
pandas>=1.5.0
numpy>=1.23.0
requests>=2.28.0
Confidence
86% confidence
Finding
pandas>=1.5.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 核心依赖(必需)
pandas>=1.5.0
numpy>=1.23.0
requests>=2.28.0

# 可选依赖
Confidence
86% confidence
Finding
numpy>=1.23.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 核心依赖(必需)
pandas>=1.5.0
numpy>=1.23.0
requests>=2.28.0

# 可选依赖
# akshare>=1.12.0    # A股/基金备用数据源
Confidence
88% confidence
Finding
requests>=2.28.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
77% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal