ClawHub

0602-tosr2-06

Security checks across malware telemetry and agentic risk

Overview

This finance-analysis skill is mostly purpose-aligned, but its optional Twitter/X features ask users to expose live session cookies and broad browser access, so it should be reviewed carefully before use.

Install only if you are comfortable with a local finance tool making network requests for the tickers and portfolio entries you analyze. Avoid enabling the Twitter/X integration unless you understand that auth_token and ct0 are live session credentials; do not grant Full Disk Access or store those tokens in a project .env unless you can protect and rotate them. Keep portfolio and watchlist files out of synced folders and repositories, and prefer --no-social or --fast modes when you do not need social or news enrichment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for category, query in searches:
                try:
                    env = os.environ.copy()
                    result = subprocess.run(
                        [bird_bin, "search", query, "-n", "15", "--json"],
                        capture_output=True, text=True, timeout=30, env=env
                    )
Confidence
89% confidence
Finding
result = subprocess.run( [bird_bin, "search", query, "-n", "15", "--json"], capture_output=True, text=True, timeout=30, env=env

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The documentation instructs users to obtain live Twitter/X authentication tokens from browser cookies and use them with the scanner. This is dangerous because session cookies are sensitive credentials; copying them into local files or environment variables increases the risk of account takeover, token leakage, and misuse of a personal authenticated session.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script reads every key/value pair from a local `.env` file and injects them into the process environment without validation or disclosure. In a skill advertised for stock and crypto analysis, broad environment loading is not necessary for core functionality and can expose credentials or sensitive configuration to downstream code and subprocesses.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The Twitter scanning feature executes an external CLI to retrieve data, which introduces code-execution behavior beyond what users would reasonably expect from a market-analysis scanner. Because it is tied to social scanning and not essential to the stated purpose, it increases attack surface and can misuse local credentials or tooling present on the host.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code reads a local .env file and injects all parsed values into process environment variables before invoking an external tool. That expands the trust boundary and can expose secrets or sensitive configuration to the Bird CLI and any of its dependencies, which is more access than a rumor-scanning routine strictly needs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The roadmap explicitly plans Mixpanel/Amplitude product analytics and Sentry error tracking, but the document does not pair this with user consent, telemetry disclosure, opt-out controls, or data-minimization requirements. In a consumer finance app handling portfolio and behavioral data, silent collection can expose sensitive usage patterns and create privacy/compliance risk even if no exploit code is present.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to extract live Twitter/X session cookies (AUTH_TOKEN and CT0) from browser DevTools and store them in a local .env file. These are effectively authentication credentials; encouraging manual cookie extraction increases the chance of account compromise, accidental leakage through shell history, logs, repos, or other local tooling, and may bypass normal OAuth-style security controls.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The instructions tell users to create a `.env` file with authentication tokens for Twitter/X integration but do not warn that these are sensitive secrets. In a skill context that uses shell commands and local files, this increases the risk of accidental token exposure through logs, commits, world-readable files, or reuse by other tooling on the system.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The instructions tell users to grant Terminal Full Disk Access and handle Twitter/X auth tokens without an explicit warning about the security implications. This is risky because Full Disk Access materially broadens local exposure, and pairing that with browser-cookie extraction normalizes unsafe credential handling that could expose private session data or other sensitive files.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to create portfolios and add holdings/watchlist entries, which implies persistent local state, but it does not warn that financial positions and watchlists may be stored on disk. In a finance-related skill, this can expose sensitive investment data to other local users, backups, logs, or synced folders, especially if users assume the commands are stateless analysis helpers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The `--notify` example explicitly mentions Telegram-format notifications but provides no privacy warning that watchlist contents, triggered alerts, or market interests may be transmitted to an external service. For a stock analysis skill, those alerts can reveal trading intent, holdings, and timing signals, which are sensitive metadata even if no credentials are shown in the docs.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script makes outbound requests to third-party services based on user-supplied tickers, and this behavior is not clearly disclosed at the point of use. In environments where tickers or symbols encode sensitive research interests, portfolio strategy, or internal watchlists, these requests can leak user intent and asset coverage to external providers.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
In portfolio mode, the script iterates over all portfolio assets and sends each ticker to Yahoo Finance and potentially other external services, which can reveal the user's holdings and trading interests. Portfolio composition is often sensitive financial data, so undisclosed transmission to third parties creates a privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Loading environment variables from `.env` without any user-facing disclosure is a security-relevant transparency issue because users may not realize local secrets are being consumed by the skill. In this file, that hidden behavior becomes more dangerous because those values are later inherited by a subprocess, widening the exposure path.

Ssd 3

Medium
Confidence
98% confidence
Finding
The documentation explicitly instructs users to copy active Twitter/X cookies into environment variables or a local .env file. Those values are effectively bearer credentials for a live account, so storing them this way increases the likelihood of accidental disclosure through shell history, logs, backups, repository commits, or local compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal