ClawHub

0605-tosr2-cisg-02

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed finance-analysis tool, but its optional social-media features ask for high-impact Twitter/X session access and pass local environment secrets to an external CLI.

Review carefully before installing. Use the finance features without social scanning if possible, and run hot scans with --no-social unless you intentionally trust Bird and the Twitter/X workflow. Do not grant Terminal Full Disk Access or store AUTH_TOKEN/CT0 in plaintext unless you understand they are live session credentials; keep them out of git and logs, restrict file permissions, and rotate/revoke them if exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for category, query in searches:
                try:
                    env = os.environ.copy()
                    result = subprocess.run(
                        [bird_bin, "search", query, "-n", "15", "--json"],
                        capture_output=True, text=True, timeout=30, env=env
                    )
Confidence
85% confidence
Finding
result = subprocess.run( [bird_bin, "search", query, "-n", "15", "--json"], capture_output=True, text=True, timeout=30, env=env

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documentation tells users to grant Terminal Full Disk Access and obtain live X/Twitter auth material to enable a nonessential social-data feature. This materially expands local system and account exposure: any process running in that terminal context or any mishandled environment/config file could abuse the tokens or the elevated host permissions.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script reads arbitrary key/value pairs from a local `.env` file and injects them into `os.environ` without scope restriction or disclosure. In this skill, those variables are later inherited by a spawned subprocess, creating a clear path for unintended credential exposure or misuse unrelated to stock scanning.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
Executing an external Twitter/X scraping CLI gives the skill arbitrary process-execution capability that is not necessary for ordinary market analysis. This increases attack surface substantially because behavior now depends on a separate executable, its auth state, and its handling of inherited secrets and network traffic.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script loads values from a local .env file into process environment variables and later forwards the full environment to an external CLI. This can expose API keys, tokens, or unrelated secrets to the Bird subprocess and any of its dependencies, creating unnecessary credential leakage risk.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill description emphasizes Yahoo Finance-based stock analysis, but this file executes a separate external Bird CLI to query Twitter/X. That broader capability increases the attack surface and trust boundary because the skill now depends on a local executable and its behavior, not just straightforward HTTP requests to finance data sources.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The implementation performs broad Twitter/X and Google News collection that is materially different from the stated Yahoo Finance analysis scope. Capability mismatch is dangerous because users and orchestrators may grant trust or permissions based on the declared purpose while the code actually performs wider external data gathering.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to extract and store live Twitter/X session cookies (`AUTH_TOKEN` and `CT0`) from browser DevTools, which are sensitive authentication credentials. Sharing or mishandling these tokens can enable account hijacking or unauthorized access, and the documentation does not warn users about the sensitivity, scope, storage risks, or potential account-policy implications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instructions tell users to place Twitter/X authentication tokens in a local `.env` file without any guidance on secure storage, permissions, rotation, or avoiding accidental disclosure. This creates a realistic risk of credential leakage through shell history, repository commits, backups, logs, or permissive file access, especially in an automation-oriented skill that also uses local scripts and external tools.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file instructs users to place sensitive auth tokens in a .env file or exported shell variables without warning about credential theft, shell history leakage, accidental commits, multi-user machine exposure, or account misuse. In a skill context, normalizing this handling lowers user caution around live session credentials and increases the chance of compromise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Undisclosed reading of environment variables from `.env` is risky because users may not expect local secrets to be consumed by a market-scanning script. In this file, the risk is amplified because those variables are later copied into the environment of a child process.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Sensitive values are loaded from .env and used indirectly by an external CLI without explicit user notice or consent. In an agent-skill context, hidden credential use is risky because operators may not realize local secrets are being consumed and exposed to another executable.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The function performs outbound network requests to Google News and later the script queries Twitter/X, but the script provides little meaningful warning beyond generic console output. In a local agent environment, undisclosed external communications can violate user expectations and leak query intent or usage patterns.

Ssd 3

High
Confidence
98% confidence
Finding
Instructing users to extract live authentication tokens from browser cookies is a sensitive credential-handling anti-pattern. These tokens can grant direct account access, may bypass safer consent boundaries of official integrations, and create a realistic path to account takeover or unauthorized actions if leaked, reused, or collected by other local tooling.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal