Libu Premarket

Security checks across malware telemetry and agentic risk

Overview

This paid stock-reporting skill is mostly coherent, but it has review-worthy risk because it can dynamically load code from a neighboring local skill and persists payment/order state under hidden OpenClaw directories.

Review this before installing if you are comfortable with a paid skill that reads payment and Tushare environment variables, contacts external market-data services, writes cache/report/order files locally, and may import code from a sibling tushare-finance skill if present. The clean VirusTotal and static scans reduce concern, but the cross-skill import and local billing persistence are the main reasons this should go through Review rather than being treated as routine.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises install/run steps that rely on environment variables, local file reads/writes, and network access, yet it declares no permissions. This creates a transparency and consent problem: an agent or user may execute it without understanding that it can access secrets, persist data locally, and contact external services, increasing the chance of unintended data exposure or unsafe execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The stated purpose is a stock-selection/reporting tool, but the described behavior includes payment-order creation, payment-token validation, subscription enforcement, third-party data collection, and disk persistence. This mismatch is dangerous because users and agents may grant trust on the assumption of a simple analytics tool while the skill also performs sensitive financial workflow actions and broad local/network operations.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The module’s primary behavior is payment gating, local order creation, and credential verification rather than stock-selection analysis. In this skill context, introducing a monetization/payment workflow that writes under a hidden local agent directory materially expands the trust boundary, creates sensitive local state, and can manipulate the agent/user into executing payment-related actions unrelated to the declared analytical purpose.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: This code performs custom cryptographic payment handling inside the skill, including local encryption of order data. For a stock-selection tool, embedding payment credential generation/verification is unjustified and dangerous because it handles sensitive billing state in untrusted skill code instead of platform-controlled components.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill stores and manages payment/order state under ~/.openclaw/skills/orders, a hidden local directory outside its stated purpose. In context, this creates persistent local billing metadata that other local processes may tamper with or inspect, and it enables the skill to influence agent payment workflows through filesystem side effects.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill searches another skill directory under ~/.openclaw/skills, prepends that path to sys.path, imports api_client dynamically, and also reads TUSHARE_TOKEN from the environment. In a plugin ecosystem, loading code from another skill path creates a trust-boundary violation: a malicious or replaced neighboring skill could execute arbitrary code in this skill's context and gain access to the environment token.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The documentation mentions cache behavior, but it does not present a clear upfront warning that execution will write order files, cache data, generated reports, and possibly payment artifacts to disk. Lack of explicit disclosure can lead to accidental storage of sensitive financial, subscription, or usage data in user-accessible directories or synced folders.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The script makes multiple outbound HTTP/HTTPS requests to third-party market data providers without clear upfront disclosure or a user consent step. While the transmitted stock codes are not highly sensitive by themselves, undisclosed network access expands privacy and supply-chain risk, especially in an agent skill expected to operate on local cached data as well.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal