ClawHub

0605-cisg-tosr2

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its finance-analysis purpose, but its optional social scanning asks users to expose live X/Twitter session credentials and broad local access, so it needs review before installation.

Install only if you are comfortable with a finance skill that can persist local portfolio/watchlist data and query external market, news, SEC, Reddit, and optional X/Twitter sources. Avoid granting Terminal Full Disk Access or using real browser session cookies unless you fully accept the account-risk; prefer running social scans with --no-social, use a throwaway account if needed, keep .env out of repositories, and do not place unrelated secrets in the same .env file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script expands from ticker analysis into local portfolio loading and valuation, which changes the trust boundary by accessing potentially sensitive user financial holdings from local storage. In an agent-skill context, this can expose private portfolio composition and trigger external lookups for every holding without clear user consent or disclosure.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The file advertises Yahoo Finance-based analysis, but it also performs Google News RSS monitoring and geopolitical keyword analysis, introducing undeclared external network access and broader content processing. In a skill environment, this increases data flow and behavior beyond the stated scope, which can surprise users and weaken least-privilege expectations.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Accessing SEC EDGAR insider-trading filings adds a separate regulatory-data capability that is outside the script's stated Yahoo Finance scope and performs additional outbound requests. This is risky in an agent context because it broadens network behavior, may reveal operator identity via the configured email, and can create privacy/compliance concerns without explicit disclosure.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The skill invokes an external, loosely trusted `bird` binary for Twitter/X access, which expands the trust boundary beyond ordinary market-data retrieval. In the context of a stock-analysis skill, executing an external binary is more dangerous because that binary can read inherited secrets, perform arbitrary network activity, or behave unexpectedly while appearing to be a normal analysis feature.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README instructs users to extract `AUTH_TOKEN` and `CT0` cookies from browser DevTools and store them in a local `.env` file, which are effectively live session credentials for a Twitter/X account. Exposing, mishandling, or reusing browser session cookies can enable account takeover or unauthorized access, and the documentation provides no strong warning about their sensitivity, storage risks, or safer alternatives.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The instructions tell users to place Twitter/X authentication secrets in a `.env` file but provide no warning about secure storage, file permissions, accidental commits, or token scope. In a skill that uses shell commands and local files, this increases the chance of credential leakage through logs, backups, repository commits, or other tooling that reads local environment files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to grant Terminal Full Disk Access and manually extract `auth_token` and `ct0` cookies from x.com, which are highly sensitive session credentials. These steps materially increase the risk of account compromise and local privacy exposure, especially because the doc does not clearly warn that browser cookie theft or broad disk access can expose unrelated secrets and effectively grant account access as the user.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The usage guide documents state-changing portfolio and watchlist operations such as create, add, remove, and notify without warning users that these commands modify persisted local data or may emit outbound notifications. In an agent setting, this can cause unintended data mutation, surprise alert delivery, or privacy issues because a user may believe they are requesting read-only analysis while the skill performs side effects.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When portfolio mode is used, the script reads local holdings and then queries external finance services for each ticker, effectively transmitting sensitive investment positions off-box without a prominent warning. Portfolio composition can reveal wealth, strategy, and personal financial interests, so silent external processing is a meaningful privacy issue.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The hardcoded SEC EDGAR identity email is transmitted to an external service without user disclosure or configurability. While not severe by itself, it leaks an identifier to a third party and is inappropriate for a reusable skill because it couples network behavior to a fixed external identity.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script silently loads all key-value pairs from `.env` into process environment without user disclosure or scoping. In this skill, that is security-relevant because those values may include API tokens and are later copied into the environment of an external subprocess, increasing the chance of secret exposure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script indiscriminately loads every key from a local .env file into the process environment, then later forwards that environment to an external CLI. This can expose unrelated secrets to the Bird process and any of its child processes, expanding credential exposure beyond what is necessary for rumor scanning.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal