ClawHub

Noah Stock Market

Security checks across malware telemetry and agentic risk

Overview

This stock-market skill also exposes private wealth and asset-balance queries, so it needs review before installation.

Install only if you intend this skill to access private securities-account wealth data, not just public stock quotes. Prefer a least-privilege market-data token, avoid sharing any trading-capable or broadly privileged token, and treat balance, total asset, fixed-income, and private-asset queries as sensitive until the publisher separates or clearly gates those features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documentation expands the skill from market-data lookup into wealth and asset queries, which are materially more sensitive than public quote data. Even if still read-only, these endpoints can reveal private financial information and violate user expectations established by the top-level description.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file states that account/holding/fund queries are unsupported, but nearby sections advertise balance and total-asset queries as supported. This internal contradiction is dangerous because it can bypass policy assumptions and lead users or orchestrators to invoke private financial-data endpoints under a supposedly non-account skill.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The recommended script entry includes wealth/account asset endpoints outside the advertised market-data-only scope. By operationalizing those commands in the primary execution path, the skill makes sensitive financial queries easy to trigger despite the stated non-account purpose.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The standard user-facing capability response advertises wealth balance and asset queries even though earlier text says account/fund queries are unsupported. This increases the chance that end users will disclose or request sensitive financial information through a skill they reasonably believe is limited to public market data.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The OpenAPI spec exposes unauthenticated token creation and deletion endpoints even though the skill is described as read-only market-data access. This creates unnecessary state-changing capability and a path to mint or revoke credentials, which could enable unauthorized API use, denial of service against legitimate access, or expansion beyond the declared trust boundary.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Token management is unjustified for a skill whose stated purpose is read-only quote and market-data retrieval. Even if not immediately exploitable for privilege escalation, exposing credential lifecycle operations widens the attack surface and undermines the principle of least privilege for an agent integration.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The usage guide documents wealth and asset query commands such as balance, total asset, fixed income, and private asset flows, which exceed the manifest's declared stock-market read-only scope. This creates a scope-expansion vulnerability: an agent may expose or invoke account-style financial data access that users and reviewers would not expect from a market-data skill, increasing the risk of sensitive financial information disclosure.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The verified scenarios section states that balance-list and total-asset capabilities are integrated or pending validation, despite the skill being described as stock-market read-only and not for account or holdings use. By advertising these capabilities as supported workflows, the guide can induce downstream agents or operators to use the skill for sensitive wealth/account queries outside approved scope.

Description-Behavior Mismatch

Low
Confidence
91% confidence
Finding
The documented default-currency behavior for wealth asset endpoints operationalizes non-market account-style queries that are outside the manifest's stated purpose. Even without direct transaction support, normalizing hidden defaults for asset queries can cause unintended retrieval of sensitive financial data and makes the out-of-scope functionality easier to invoke automatically.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This file includes formatters for wealth, cash, fixed income, private contract, and total asset data even though the skill manifest says it is only for read-only market data queries and explicitly not for account/holding scenarios. That scope mismatch increases the chance that sensitive financial/account data could be surfaced if connected endpoints or upstream routing ever invoke these functions, creating an unnecessary data exposure path.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Supporting account and wealth data presentation in a stock quote skill violates the declared trust boundary and broadens the skill's effective capability beyond user expectations. Even though this module only formats text, formatter availability often reflects reachable product functionality, so accidental or unauthorized disclosure of balances/assets becomes more plausible in an otherwise public market-data context.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill manifest says it is read-only market data and explicitly excludes account, holdings, and trading-related functionality, but this code adds wealth and asset query intents such as balance, total asset, fixed income, and private contract asset list. That creates a scope violation that can expose sensitive user financial information through an agent path the user and integrator would reasonably believe is limited to public quote data.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The dispatch table maps user-controlled intents to wealth/account backend endpoints, directly contradicting the skill description that it is not for account or holdings access. In an agent environment, this is dangerous because a caller expecting only quote retrieval can be routed to credential-backed personal financial data endpoints without clear separation of privilege or purpose.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The file includes multiple wealth/account asset summarization functions that process balances, total assets, holdings, private contracts, and related financial account data, which exceeds the declared read-only market-data scope of the skill. Even though these functions only transform input and do not execute trades, their presence expands the skill into sensitive account-information handling, increasing the risk of unauthorized data exposure, privacy violations, and accidental invocation outside the user's expectations.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The file is written entirely in Chinese and presents only Chinese-language query patterns and outputs, without indicating that the agent should adapt to the user's preferred language. This can cause inaccessible or misleading interactions for users who do not read Chinese, and may lead the agent to ignore user language context rather than respond safely and clearly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code performs network requests for wealth and account-related data and returns formatted summaries, but provides no user-facing disclosure that sensitive personal financial information may be accessed. In the context of a stock quote skill advertised as read-only market data, that mismatch increases the chance of silent over-collection or unexpected disclosure of private financial information.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal