ClawHub

0528-tosr2-csig

Security checks across malware telemetry and agentic risk

Overview

This finance skill is mostly coherent, but it needs review because its optional social scanners rely on sensitive X session cookies and an external CLI with broad environment access.

Review before installing. The core finance analysis appears purpose-aligned, and VirusTotal/static scan did not show malware, but avoid using the optional X/Twitter setup unless you understand that auth_token and ct0 are live session credentials. Do not grant broad Full Disk Access or place unrelated secrets in the skill .env; prefer running stock analysis with --no-social or --fast modes unless the social scanners are necessary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for category, query in searches:
                try:
                    env = os.environ.copy()
                    result = subprocess.run(
                        [bird_bin, "search", query, "-n", "15", "--json"],
                        capture_output=True, text=True, timeout=30, env=env
                    )
Confidence
85% confidence
Finding
result = subprocess.run( [bird_bin, "search", query, "-n", "15", "--json"], capture_output=True, text=True, timeout=30, env=env

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The documentation instructs users to obtain Twitter/X authentication via browser cookies and even grant Terminal Full Disk Access to access those credentials. This creates a serious credential-handling risk because users are being encouraged to extract and store sensitive session tokens outside normal OAuth flows, which could enable account compromise or broader local privacy exposure if mishandled or abused.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The Twitter/X feature relies on an external `bird` CLI, which is not necessary to perform stock analysis itself and introduces code-execution and data-exposure risk. In this implementation it is especially risky because the subprocess inherits the full environment, likely including any credentials loaded from `.env`.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script automatically reads a repository-level `.env` and imports all key/value pairs into the process environment, broadening access to secrets beyond what the hot scanner needs. This becomes more dangerous because the same environment is later propagated to an external subprocess, enabling credential leakage to other tools.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The roadmap explicitly plans analytics and error-tracking collection, but the skill description presented to users does not disclose that telemetry may be collected. This creates a privacy and consent gap, especially in a finance-related product where behavioral and device data may be sensitive.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to extract live Twitter/X authentication cookies (AUTH_TOKEN and CT0) from browser DevTools and place them into a local .env file. These are sensitive session credentials; mishandling or leakage can enable account takeover or unauthorized access, and normalizing this workflow encourages unsafe credential practices for a finance-focused tool that processes potentially sensitive market activity.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The markdown states that portfolio and watchlist data are stored in persistent files under ~/.clawdbot/skills/stock-analysis, but it does not clearly warn users at the point of feature use that invoking these commands will create or modify local state. This is a transparency and privacy issue because users may assume analysis is ephemeral when it actually persists potentially sensitive investment data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown tells users to grant Terminal Full Disk Access and store or export Twitter auth tokens without meaningful safety warnings or secure-handling guidance. In the context of a stock-analysis skill, these are disproportionate and risky instructions that could expose browser data, leak credentials through shell history or process inspection, and normalize unsafe operational practices.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The usage guide documents state-changing commands such as portfolio creation, adding/removing watchlist entries, and notification-related actions without clearly warning users that these operations persist, modify, or delete local data. In an agent setting, this can lead to unintended file or state changes when a user expects read-only analysis, increasing the risk of accidental data loss or unauthorized modifications through misunderstanding.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The CLI/help text does not clearly disclose that the tool performs additional outbound network requests to Google News RSS during normal operation unless --fast is used. In an agent-skill context, undisclosed network access is risky because users may expect only ticker lookup behavior, while the skill silently contacts third-party services and can leak usage patterns, timing, and analyst interest to external endpoints.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script accesses SEC/EDGAR and sets a hardcoded identity string without clear user-facing disclosure or consent. In an agent environment, this is dangerous because it performs external requests beyond the user's apparent command intent and may create accountability, privacy, or policy issues if traffic is attributed to a fixed identity the operator did not knowingly authorize.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Loading credentials from `.env` without disclosure is not only a transparency issue here; it materially increases risk because secrets are imported globally into the process. In a finance-analysis skill, silent secret ingestion is broader than necessary and enlarges the blast radius of any later subprocess or dependency misuse.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Invoking an external social-media CLI without clear disclosure is risky because users may not expect an additional executable to run, use credentials, and perform outbound requests. In this file the risk is amplified by inherited environment variables and fallback to a generic `bird` command that may resolve to an unexpected binary.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal