Security audit

Stock Monitor

Security checks across malware telemetry and agentic risk

Overview

This stock-monitoring skill is mostly coherent, but it should be reviewed because it stores sensitive portfolio data locally and its scheduled-report prompts send reports to a Feishu/group chat without a clear confirmation step.

Install only if you are comfortable storing watchlists, positions, costs, and trade history in ~/.openclaw and potentially sending generated reports externally. Before enabling cron tasks, verify the Feishu/group-chat recipient, disable automatic sending if you want local-only reports, and avoid entering sensitive holdings on shared or poorly protected machines.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation describes behavior that reads and writes multiple files under ~/.openclaw and performs external data fetching and message delivery, yet it declares no explicit permissions. Hidden or undeclared capabilities reduce user visibility and consent, making it easier for a skill to access local portfolio data or exfiltrate reports without clear authorization boundaries. In this context, the skill handles sensitive financial/watchlist information, which increases the risk from undeclared file and network access.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The declared description frames the skill as stock monitoring and analysis, but the documented behavior expands into persistent storage of holdings and trades, portfolio P/L management, news/sentiment collection, and additional market/fund-flow intelligence. This mismatch can mislead users about the breadth of data collection and processing, undermining informed consent and masking more privacy-sensitive or higher-risk operations than the headline description suggests. Because the skill processes persistent financial records and performs network retrieval/push workflows, the mismatch is more dangerous than a purely cosmetic documentation issue.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The file implements persistent portfolio, position, and trade-history management in local files under ~/.openclaw, which goes beyond the declared stock monitoring/analysis purpose. This creates unnecessary collection and retention of sensitive personal financial data, increasing privacy and misuse risk if the skill is invoked in a broader agent environment or if local files are later accessed by other components.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The CLI exposes commands for position management and trade bookkeeping (position add/remove, trade buy/sell, trades) that materially extend the skill beyond monitoring. Hidden or undeclared financial-record features can mislead users and calling agents about what data the tool will create or mutate, enabling unintended persistence of investment activity.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code persistently stores personal investment holdings and trade history in JSON files in the user's home directory without any access controls, encryption, consent flow, or retention policy. Even if this is only local storage, holdings and transaction history are highly sensitive financial data and may be exposed to other local processes, backups, or later exfiltration by unrelated tooling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal