ClawHub

0605-tosr2-csig-03

Security checks across malware telemetry and agentic risk

Overview

The stock-analysis skill is mostly coherent, but it asks users to store Twitter/X session cookies and passes broad environment secrets into an external CLI, which needs careful review before installation.

Review before installing. Use the skill only if you are comfortable with outbound market-data queries and local storage of portfolio/watchlist data. Avoid using your main Twitter/X account cookies; prefer disabling social scanning with --no-social unless you can isolate credentials, protect the .env file, and trust the installed bird binary. Do not treat BUY/HOLD/SELL output as financial advice or authorize any real trades based only on this skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for category, query in searches:
                try:
                    env = os.environ.copy()
                    result = subprocess.run(
                        [bird_bin, "search", query, "-n", "15", "--json"],
                        capture_output=True, text=True, timeout=30, env=env
                    )
Confidence
93% confidence
Finding
result = subprocess.run( [bird_bin, "search", query, "-n", "15", "--json"], capture_output=True, text=True, timeout=30, env=env

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and documents capabilities that imply shell execution, network access, and local file read/write behavior, but the manifest does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users and hosting systems cannot accurately assess what the skill may access or modify, increasing the chance of over-privileged or surprising behavior.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The skill description is framed around Yahoo Finance-based stock analysis, but the documentation expands scope to Twitter/X integration and multi-source aggregation. This kind of scope drift matters because it introduces additional external data flows and possible credential use that are not clearly reflected in the core manifest description, making the skill more capable and riskier than users may expect.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documentation instructs users to place Twitter/X authentication material in a local .env file, which introduces credential-handling behavior not clearly justified by the stated Yahoo Finance analysis purpose. Even if optional, encouraging token storage expands the attack surface because local secrets may be exposed through logs, accidental commits, misconfigured tooling, or reuse by unrelated processes.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation presents the skill as generating explicit BUY / HOLD / SELL signals and recommendations while later disclaiming that it is not financial advice. That inconsistency can mislead users about the nature of the output, reduce appropriate caution, and create compliance and consumer-protection risk in a domain where users may act on recommendations with real financial consequences.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The file says the system advises but does not execute, while also claiming it is not trading signals despite describing recommendation outputs and explicit action-oriented guidance elsewhere. This contradiction can cause users to underestimate reliance risk and creates deceptive-documentation concerns, especially for an investment-focused skill where recommendation framing materially affects user behavior.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This section adds subprocess execution and credential-bearing environment forwarding to support Twitter/X scraping, which is a powerful capability beyond straightforward market-data aggregation. In the context of an agent skill, invoking an external CLI with inherited environment variables can expose tokens to unreviewed code paths and enables arbitrary local code execution if the CLI is replaced or compromised.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script ingests every key-value pair from a local `.env` file into the process environment with no allowlist or scope restriction. That broad credential-loading behavior is risky because later code forwards the environment to a subprocess, creating an unnecessary path for secret exposure and making the skill capable of consuming arbitrary local secrets unrelated to stock analysis.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly tells users to extract live X/Twitter session cookies (AUTH_TOKEN and CT0) from browser DevTools and place them in a local .env file. Session cookies are highly sensitive bearer credentials; encouraging manual extraction and storage without strong warnings, scoping guidance, or safer alternatives increases the risk of account takeover, accidental leakage through logs, shell history, backups, or source control.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The credential setup instructions tell users to create a .env file with authentication tokens but do not include an explicit warning about secret handling, storage risks, or accidental exposure. In security-sensitive documentation, omission of such guidance can lead users to place reusable credentials in insecure locations or commit them to source control.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to extract Twitter/X session credentials from browser cookies and store them in a local .env file or shell environment, but it does not clearly warn that these are highly sensitive authentication tokens that can grant account access. This creates a real risk of credential theft, accidental commit to source control, shell history leakage, or unsafe sharing, especially because the instructions normalize manual cookie extraction and local persistence.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends user-supplied tickers and potentially sensitive portfolio holdings to multiple third-party services without clearly warning the user in the CLI help or documentation. In the context of a portfolio/market-analysis skill, holdings can reveal investment strategy or personal financial interests, so undisclosed outbound transmission creates a real privacy and data-governance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal