Back to skill

Security audit

Stocks Quant Assistant

Security checks across malware telemetry and agentic risk

Overview

This stock alert skill matches its stated purpose, but it needs Review because it automatically creates background jobs and includes helper scripts that can expose messaging secrets or change system settings.

Install only if you intentionally want a background stock monitor that can send your configured watchlist and holdings to Feishu or Telegram. Review the launchd/cron entries after install, avoid running scripts/health-check.sh until secrets are redacted, do not run scripts/setup-sleep.sh unless you deliberately want system-wide macOS power-setting changes, and use dedicated low-privilege messaging bot credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run(cmd, check=True, timeout=30):
    """执行 shell 命令"""
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)
    if check and result.returncode != 0:
        print(f"[ERROR] Command failed: {cmd}")
        print(f"STDERR: {result.stderr}")
Confidence
94% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import yaml
    except ImportError:
        print("[INFO] 正在安装 pyyaml...", file=sys.stderr)
        result = subprocess.run(
            [sys.executable, '-m', 'pip', 'install', 'pyyaml', '--quiet'],
            capture_output=True, text=True, timeout=60
        )
Confidence
94% confidence
Finding
result = subprocess.run( [sys.executable, '-m', 'pip', 'install', 'pyyaml', '--quiet'], capture_output=True, text=True, timeout=60 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
with open(plist_path, 'w') as f:
                f.write(plist_content)
            # 先尝试 load,如果失败(权限问题),给出明确指引
            load_result = subprocess.run(
                ['launchctl', 'load', plist_path],
                capture_output=True, text=True, timeout=10
            )
Confidence
97% confidence
Finding
load_result = subprocess.run( ['launchctl', 'load', plist_path], capture_output=True, text=True, timeout=10 )

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The health-check script extracts Feishu configuration entries and prints them directly to stdout. Because the matched fields include sensitive values such as app_id, app_secret, and chat_id, anyone with terminal access, shell history capture, CI logs, or centralized log collection could view credentials that should remain secret.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code claims first run creates a blank non-pushing config, but main() calls check_and_install() before load_config(), so dependency installation and launchd registration can happen before the user has configured anything. This mismatch is dangerous because users may believe first run is non-invasive while it already performs persistent system changes.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function documentation describes dependency checking and installation, but the implementation also writes a LaunchAgent and attempts to load it. Security-relevant behavior that is concealed by misleading documentation increases the chance of uninformed execution and weakens user consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Running the health check during business hours automatically sends a real Feishu message without explicit user confirmation at execution time. In an agent-skill context, side effects on external messaging systems can surprise users, spam chats, and leak operational metadata such as that the monitor is installed and active.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This code reads configuration fields that may contain Feishu secrets and echoes them without any warning or redaction. In operational environments, health-check output is commonly copied into tickets, pasted into chats, or captured by monitoring tooling, which turns a local diagnostic into a credential disclosure channel.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer automatically registers persistent scheduled tasks without an explicit opt-in prompt or prior warning. That behavior establishes persistence on the host and can surprise users, which is particularly risky for agent skills because code will continue executing later outside the initial install context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script writes configuration and scheduler-related files to disk as part of setup without prompting the user first. While creating a default config is common, silent writes reduce transparency and can combine with the persistence behavior to make installation more invasive than expected.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script installs packages and registers a scheduled task automatically, both of which are privileged or persistent side effects that should require explicit user approval. In an agent skill ecosystem, hidden setup behavior is especially risky because users may expect analysis/reporting code, not environment modification and persistence.

Ssd 3

Medium
Confidence
98% confidence
Finding
The script reveals messaging configuration entries in plaintext during a routine health check. In the context of an agent skill that may be run by users, support staff, or automation, this increases danger because seemingly harmless diagnostics can expose integration secrets and recipient identifiers beyond the intended audience.

Session Persistence

Medium
Category
Rogue Agent
Content
**解决:**
```bash
launchctl load ~/Library/LaunchAgents/com.openclaw.stock-monitor.plist
# 如需管理员权限,加上 sudo
sudo launchctl load ~/Library/LaunchAgents/com.openclaw.stock-monitor.plist
```
Confidence
86% confidence
Finding
launchctl load

Session Persistence

Medium
Category
Rogue Agent
Content
**解决:**
```bash
launchctl load ~/Library/LaunchAgents/com.openclaw.stock-monitor.plist
# 如需管理员权限,加上 sudo
sudo launchctl load ~/Library/LaunchAgents/com.openclaw.stock-monitor.plist
```
Confidence
86% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
launchctl load ~/Library/LaunchAgents/com.openclaw.stock-monitor.plist
# 如需管理员权限,加上 sudo
sudo launchctl load ~/Library/LaunchAgents/com.openclaw.stock-monitor.plist
```

### ❌ 提示「实时数据获取失败」
Confidence
88% confidence
Finding
launchctl load

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
launchctl load ~/Library/LaunchAgents/com.openclaw.stock-monitor.plist
# 如需管理员权限,加上 sudo
sudo launchctl load ~/Library/LaunchAgents/com.openclaw.stock-monitor.plist
```

### ❌ 提示「实时数据获取失败」
Confidence
88% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
│   ├── launchd.log
│   └── launchd.err
└── LaunchAgents/         # macOS 定时任务
    └── com.openclaw.stock-monitor.plist
```

---
Confidence
82% confidence
Finding
plist

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.