ClawHub

Ifind Mcp

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed iFinD financial-data connector; its main risks are ordinary credential hygiene and a rough helper script, not hidden or malicious behavior.

Install only if you trust iFinD and the mcporter package. Treat the Authorization value as a secret, keep ~/.openclaw/mcporter.json private, avoid putting confidential research or regulated information in queries, and rotate the token if it is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script always tries a fixed sequence of tool calls regardless of the selected domain, so a `stock`, `fund`, `edb`, or `news` request may be routed to unrelated methods if the first call fails. In a financial-data skill, this can cause unintended cross-domain access, misleading results, and accidental disclosure of data the user did not request, especially because errors are suppressed for the fallback attempts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to extract a bearer token from another file and store it in a persistent plaintext configuration file, but it does not warn that the token is sensitive, should be access-restricted, or should not be shared or committed. Bearer tokens typically grant direct API access, so mishandling can lead to unauthorized use of paid data services, account abuse, or leakage of financial data access privileges.

Session Persistence

Medium
Category
Rogue Agent
Content
将密钥配置到 `~/.openclaw/mcporter.json`(推荐,跨平台兼容):

```bash
mkdir -p ~/.openclaw
cat > ~/.openclaw/mcporter.json << 'EOF'
{
  "mcpServers": {
Confidence
91% confidence
Finding
mkdir -p ~/.openclaw cat > ~/.openclaw/mcporter.json << 'EOF' { "mcpServers": { "hexin-ifind-stock": { "url": "https://api-mcp.51ifind.com:8643/ds-mcp-servers/hexin-ifind-ds-stock-mcp",

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal