Back to skill

Security audit

Ai Xifu Caopan Public

Security checks across malware telemetry and agentic risk

Overview

This finance skill is mostly coherent, but it can run external helper code and write local files in ways that are broader than its safety text says.

Install only if you are comfortable with a finance skill that may use your configured market-data credentials, execute local helper scripts from your OpenClaw workspace, and create local DOCX/watchlist/tracker files. Treat all generated trading output as unverified educational material, and review or restrict environment variables before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script = os.path.join(GS_SCRIPTS_DIR, "gs_stock_market_query.py")
    
    try:
        result = subprocess.run(
            ["python3", script, "single_hq", "--code", symbol, "--set_code", str(set_code)],
            capture_output=True, text=True, timeout=20,
            env={**os.environ}
Confidence
91% confidence
Finding
result = subprocess.run( ["python3", script, "single_hq", "--code", symbol, "--set_code", str(set_code)], capture_output=True, text=True, timeout=20, env={*

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script = os.path.join(GS_SCRIPTS_DIR, "gs_stock_market_query.py")
    
    try:
        result = subprocess.run(
            ["python3", script, "past_hq", "--code", symbol, "--set_code", str(set_code), "--want_nums", str(days)],
            capture_output=True, text=True, timeout=20,
            env={**os.environ}
Confidence
91% confidence
Finding
result = subprocess.run( ["python3", script, "past_hq", "--code", symbol, "--set_code", str(set_code), "--want_nums", str(days)], capture_output=True, text=True, timeou

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The README presents the product as only an educational/reference tool while simultaneously advertising generation of complete trading plans, operational schemes, and execution-oriented guidance. This mismatch can mislead users, platform reviewers, or regulators about the real function of the skill, increasing the chance that users rely on prescriptive financial output as de facto investment advice.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The legal disclaimer denies that the product provides investment advice, but the documented chapter list explicitly includes trading plans, capital allocation, phased operations, and trading suggestions. A disclaimer does not neutralize functionality; if the skill generates actionable recommendations, users may still treat it as financial advice despite the warning text.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document claims the skill will not perform unattended file writes, but later explicitly allows automatic writes to independent log or tracker files. This is a real integrity/scope-control issue because users or reviewers may rely on the safety statement while the workflow still authorizes persistent state changes, creating a mismatch that can be abused for unauthorized data retention or silent file modification.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The workflow states it will not write system files, yet subsequent steps direct automatic updates to tracking files, logs, and statistics. Even if system files are excluded, this still enables unattended persistent writes and weakens trust boundaries, especially in an agent skill where tracking artifacts may contain sensitive prompts, predictions, or behavioral history.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The comments claim watchlist changes never happen without user confirmation, but the CLI exposes `confirm_add`, `confirm_remove`, and `add --force` paths that directly pass `confirmed=True` with no proof that a real user consent step occurred. In an agent setting, another component could invoke this script non-interactively and silently alter persisted user preferences, creating an authorization bypass relative to the documented safety model.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
`add_stock_to_watchlist` accepts a boolean `confirmed` flag, but it does not validate that confirmation came from an actual user interaction; any caller can set it to `True`. In a skill or agent workflow, this makes the confirmation check advisory only and allows unauthorized modification of the watchlist file.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module documentation explicitly states there is no auto-fetch and that users must provide their own data, but the implementation later calls get_geopolitical_risks() implicitly. This creates a trust and data-flow mismatch: consumers may run the function in restricted or offline environments assuming no external access, while the code can still trigger hidden network or plugin-backed retrieval and incorporate untrusted external content.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code invokes another local program without clear disclosure, and more importantly it does so via a subprocess that inherits the full environment. The lack of warning is not the main issue; the real danger is hidden execution of a separate mutable component, which increases supply-chain and local tampering risk in this skill context.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The template explicitly hard-codes `_input_lang = "zh"` and `_dest_lang = "zh"`, forcing Chinese output regardless of user preference or detected language. In a multilingual agent context this can cause user-intent mismatch, inaccessible output, and policy/compliance issues, though it does not directly create code execution or data exfiltration risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The function writes a DOCX file to disk automatically using data-derived filename components without an explicit opt-in at the point of action. In agent or automation contexts, silent filesystem writes can leak sensitive trading inputs, create unwanted artifacts, or violate caller expectations about pure document generation.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The function unconditionally writes a DOCX file to disk in the script directory whenever it is called, without explicit caller opt-in at the write point. In an agent or skill environment, this can cause unintended persistent file creation, overwrite conflicts, disk clutter, or leakage of sensitive user-supplied financial data into local storage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.