ClawHub

finance-daily-report

Security checks across malware telemetry and agentic risk

Overview

This finance report skill is purpose-aligned, but it needs review because setup can store API keys in shell startup files and create persistent scheduled jobs without a clear final confirmation step.

Install only if you are comfortable with daily scheduled execution, outbound calls to finance websites and DashScope/Volcengine LLM APIs, and local report/config persistence. Avoid entering production API keys into the setup script unless you accept plaintext storage in your shell profile; prefer platform secrets or temporary environment variables, and verify any cron job and saved config changes after setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes cron management, spawns a subagent workflow, and writes report files, yet declares no permissions. This creates a trust and review gap: users and platforms cannot accurately assess that the skill can persist data, modify scheduling state, and likely access networked collectors, increasing the chance of unintended privileged behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill is presented as a report generator, but the behavior described by analysis extends into persistent system configuration, external network access, cron creation, and filesystem writes. This mismatch can mislead users into authorizing a seemingly simple content skill that actually performs installation-like and persistent actions, which is especially risky because it uses external collectors and scheduled execution.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The setup script asks the user for an API key and appends it directly to a shell startup file such as ~/.zshrc or ~/.bashrc, causing long-lived credential persistence outside the immediate setup task. This increases exposure because the key becomes available to all future shell sessions, may be readable by other local processes or backups, and is not clearly limited to this skill's runtime needs.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script similarly persists an optional backup-model API key into the user's shell profile, extending secret storage beyond the stated setup/scheduling function. Even though optional, it still creates durable credential exposure and broadens the blast radius if the shell profile is disclosed, synced, or inspected by unrelated tooling.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup flow instructs the agent to run `openclaw cron add` immediately after extracting a time, without a distinct confirmation right before changing scheduler state. That can cause unintended persistent auto-execution from an ambiguous or casually phrased message, especially since the skill defaults ambiguous times to 08:00.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The workflow saves generated reports to `/root/.openclaw/workspace/finance-reports/YYYY-MM-DD.md` without disclosing this local persistence to the user. Even if the content is not highly sensitive, finance summaries may contain user-customized modules or preferences, and silent retention increases privacy and data lifecycle risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The phrase for reordering modules (e.g. '把 XX 放到第N个') is broad enough that ordinary conversational input could be misinterpreted as a state-changing command. In this skill, that would trigger persistent configuration changes to the finance report layout, creating an unintended action vulnerability even without explicit user confirmation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation describes direct execution of add/remove/enable/disable/reorder commands that modify persistent configuration, but it does not warn users that these actions change saved state. In a chat-driven agent, hidden persistence increases the risk of accidental or socially engineered changes that continue affecting future reports beyond the current session.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow explicitly instructs saving generated reports and optional evidence files under `/root/.openclaw/workspace/finance-reports/` but does not require notifying the user that content will be persisted. Silent file creation creates a privacy and transparency risk because report contents, dates, and evidence links may remain on disk beyond the chat session and be accessible to later processes or users with workspace access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow directs the agent to use `web_fetch` and external sources such as Trading Economics for cross-checking without warning the user that third-party network requests will occur. This is risky because user queries, timing, and fetched targets may be disclosed externally, and network access can violate user expectations in environments that require explicit consent for outbound requests.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends arbitrary prompt content to third-party LLM endpoints over the network, but the CLI interface and code provide no user-facing disclosure, consent check, or data-classification guard. In a finance reporting skill, prompts may contain proprietary market research, internal instructions, or user-provided sensitive content, so silent external transmission creates a real confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends large amounts of scraped third-party website content directly to external LLM providers without any disclosure, consent flow, or data-classification boundary. Even if the sources are nominally public, this still creates an undisclosed third-party data transfer risk, may violate source terms or internal privacy/compliance expectations, and expands exposure if scraped pages contain unexpected sensitive or copyrighted content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal