ClawHub

0602-tosr2-07

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for stock and crypto analysis, but its optional Twitter/X features ask users to handle sensitive session credentials and broad local permissions without enough safeguards.

Review before installing. Use --no-social or avoid the Twitter/X features unless you understand the risk of browser session cookies. Do not grant Terminal Full Disk Access or store AUTH_TOKEN/CT0 in a shared or committed .env file unless isolated and necessary; revoke or rotate tokens if exposed. Back up portfolio data before using delete or automation commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for category, query in searches:
                try:
                    env = os.environ.copy()
                    result = subprocess.run(
                        [bird_bin, "search", query, "-n", "15", "--json"],
                        capture_output=True, text=True, timeout=30, env=env
                    )
Confidence
93% confidence
Finding
result = subprocess.run( [bird_bin, "search", query, "-n", "15", "--json"], capture_output=True, text=True, timeout=30, env=env

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code loads every key from a local `.env` file into `os.environ`, then later passes the full environment to an external subprocess. In a skill context, this can unintentionally expose unrelated credentials or tokens to the `bird` binary, which is especially risky because the skill's purpose is market scanning, not credential handling.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Using an external `bird` CLI for Twitter/X introduces supply-chain and execution risks that would not exist with direct in-process HTTP requests. The binary may read credentials, perform unexpected network actions, or behave differently across hosts, making the scanner more dangerous than its analysis-oriented description suggests.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The roadmap introduces user-behavior analytics and business KPI tracking without any explicit user-facing privacy notice, consent flow, or disclosure of what data will be collected. In a financial-analysis context, usage patterns may reveal sensitive investment interests or behavior, creating privacy and compliance risk if telemetry is deployed silently.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to extract live X/Twitter authentication cookies from browser developer tools and place them into a local .env file, but provides no security warning about the sensitivity of those credentials. These tokens can enable account access or session abuse if mishandled, leaked to logs, committed to version control, or exposed to other local processes; the skill context increases risk because it normalizes unsafe credential handling for optional social-media scraping.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The markdown instructs users to create a .env file containing AUTH_TOKEN and CT0 for Twitter/X integration but does not warn that these are sensitive credentials or provide secure handling guidance. This can lead users to store tokens insecurely, commit them to source control, expose them in shared directories, or reuse powerful session credentials without understanding the risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation tells users to grant Terminal Full Disk Access in order to retrieve Twitter/X session data, but does not warn that this permission grants broad access to sensitive files well beyond browser cookies. In a finance-oriented skill that also encourages use of local scripts and CLI tools, normalizing this permission increase can expose secrets, documents, wallets, SSH keys, or browser data if the terminal session or invoked tools are compromised.

Missing User Warnings

High
Confidence
98% confidence
Finding
The guide instructs users to extract `auth_token` and `ct0` values from x.com and store them in a `.env` file or environment variables, but does not clearly state that these are highly sensitive session credentials that can enable account access or abuse if leaked. Because the skill is designed for automation and local scripting, users may copy these tokens into insecure locations, logs, shells, or repositories, increasing the chance of credential theft and account compromise.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The usage guide documents state-changing commands for portfolios and watchlists (create, add, remove) without clearly warning that they persistently modify local user data. In an agent or automation context, this increases the chance that a model or user invokes these examples as if they were read-only analysis operations, causing unintended portfolio/watchlist changes and possible loss of trusted tracking data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
When portfolio mode is used, the script iterates over user portfolio holdings and queries Yahoo Finance for each ticker without clearly warning users that their holdings will be disclosed to third-party services. In a portfolio-analysis skill, holdings can reveal sensitive financial interests and behavioral data, so silent transmission creates a meaningful privacy risk even if only ticker symbols are sent.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The script performs SEC EDGAR lookups using a hardcoded identity email without disclosing that insider-trading analysis contacts EDGAR and presents that identity externally. This is primarily a transparency and privacy/compliance issue rather than a direct compromise vector, but users should be informed when external regulator endpoints are queried as part of analysis.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script silently reads a local `.env` file, which may contain API keys, tokens, or unrelated secrets, without scoping or warning. In combination with later subprocess execution, this creates a real credential exposure path rather than a mere usability issue.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The subprocess is launched with `env=os.environ.copy()`, which forwards the full inherited environment—including secrets loaded from `.env`—to an external executable. That gives the child process broad access to credentials and configuration unrelated to its stated task.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The delete command immediately removes portfolio data without a confirmation prompt, dry-run, or recovery mechanism. In a CLI that manages persistent financial tracking data, accidental invocation or automation mistakes can cause irreversible local data loss.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal