0602-tosr2-02

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill mostly matches its stated purpose, but its optional X/Twitter feature handles sensitive session credentials in an under-scoped way that deserves review.

Review before installing if you plan to use Twitter/X scanning. Avoid using a personal X account session cookie, do not grant Terminal Full Disk Access unless you understand the exposure, and keep AUTH_TOKEN/CT0 out of shared files, logs, and source control. The core stock and portfolio features appear purpose-aligned, and social scanning can be avoided with the documented no-social mode.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: for category, query in searches: try: env = os.environ.copy() result = subprocess.run( [bird_bin, "search", query, "-n", "15", "--json"], capture_output=True, text=True, timeout=30, env=env )
Confidence: 84% confidence
Finding: result = subprocess.run( [bird_bin, "search", query, "-n", "15", "--json"], capture_output=True, text=True, timeout=30, env=env

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill reads arbitrary key-value pairs from a repository `.env` file and injects them into the process environment without validation or scoping. In this file, those variables are later propagated to a child process, which can expose local secrets such as API tokens to external tooling unnecessarily.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Executing the external `bird` CLI adds command-execution capability not necessary for core stock/news aggregation and increases the attack surface. Even without shell injection, invoking an external program can leak secrets through inherited environment variables or run an attacker-controlled binary if resolution is unsafe.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script loads every key from a local .env file into the process environment and later forwards that environment to an external Bird CLI. This unnecessarily broad secret exposure can leak unrelated credentials to a third-party executable and expands the blast radius if that tool is compromised or logs its environment.

Context-Inappropriate Capability

Medium

Confidence: 76% confidence
Finding: Hardwiring use of an external Bird CLI introduces a trust boundary to a separate binary outside the Python process. In this skill context, that matters because the script is intended for market analysis but silently delegates data retrieval and likely authentication handling to an external executable, increasing supply-chain and credential-handling risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README instructs users to extract and store X.com session-related tokens (AUTH_TOKEN and CT0) from browser cookies without clearly warning that these are sensitive authentication credentials. If mishandled, logged, shared, or committed to source control, these tokens could enable unauthorized access to the user's X account or violate user privacy. In this skill's context, the risk is elevated because the feature encourages credential collection for social scraping/integration and presents it as routine setup.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to place Twitter/X authentication tokens in a .env file but does not explain how those secrets are stored, protected, or whether they may be transmitted to third-party tools. In a skill that invokes external CLIs and performs network operations, this creates a realistic risk of credential leakage, misuse, or accidental inclusion in logs and debugging output.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation tells users to grant Terminal Full Disk Access and manually extract highly sensitive X/Twitter session credentials (`auth_token`, `ct0`) from browser cookies, then store them in a local `.env` file, without prominent warnings about account takeover risk or safer alternatives. These tokens can provide authenticated access to the user's account, and encouraging broad disk access to Terminal increases exposure if the environment, shell history, logs, or adjacent tooling are compromised.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The script makes undisclosed outbound requests to several third-party services, including Yahoo Finance, Google News RSS, and SEC EDGAR, without a clear user-facing warning in the CLI help. In an agent or automation context, this can leak user interest patterns, portfolio constituents, and analysis targets to external providers, creating a privacy and operational-security risk even if the requests are expected for functionality.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code silently imports all variables from a local .env file and makes them available to the process, after which they are propagated to an external CLI. Even without overt exfiltration code, this creates undisclosed credential access and transfer to another component, which is risky for a skill that users may expect to perform only data analysis.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script invokes a third-party CLI using environment-provided credentials without any explicit disclosure or consent flow. In skill ecosystems, silent use of external authenticated tools is dangerous because users may not realize their tokens are being handed to another executable with its own logging and network behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal