ClawHub

0605-tosr2-csig

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill has useful market-scanning behavior, but it under-discloses risky Twitter/X session-token handling and forwards broadly loaded environment secrets to an external CLI.

Install only if you are comfortable with a finance skill that can call external market/news services and optionally use X/Twitter session credentials. Do not place personal browser cookies or unrelated secrets in a shared .env file; use a dedicated account or safer API/OAuth flow, review the Bird CLI before use, and back up local portfolio/watchlist data before running mutation commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for category, query in searches:
                try:
                    env = os.environ.copy()
                    result = subprocess.run(
                        [bird_bin, "search", query, "-n", "15", "--json"],
                        capture_output=True, text=True, timeout=30, env=env
                    )
Confidence
93% confidence
Finding
result = subprocess.run( [bird_bin, "search", query, "-n", "15", "--json"], capture_output=True, text=True, timeout=30, env=env

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and demonstrates shell execution, network access, and local file read/write behavior, but declares no permissions. That mismatch can mislead users and any permission-gating system about the skill's actual capabilities, reducing transparency and increasing the chance of unintended data access or command execution. In this context, the risk is elevated because the skill stores portfolio/watchlist data locally and optionally uses external services and auth tokens.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script loads every key/value from a repository-local .env file into process environment variables even though most scanning functions do not require credentials. In a skill setting, this unnecessarily exposes secrets to all code paths and especially to later subprocess execution, increasing the chance of credential leakage or misuse.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill description emphasizes Yahoo Finance analysis, but this function invokes an external Twitter/X CLI, introducing a materially different capability with separate authentication, network, and data-handling risks. Hidden capability expansion is dangerous because users and reviewers may not expect the skill to execute external tools and contact another platform.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script loads arbitrary values from a local .env file directly into process environment variables, then later forwards the full environment to an external CLI. This can expose API keys, tokens, or unrelated secrets to a third-party binary, creating credential leakage risk well beyond the stated stock-scanning purpose.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Using an external Bird CLI introduces a trust boundary: the script delegates data retrieval and credential handling to another executable outside the Python process. If that binary is compromised, replaced, or behaves unexpectedly, it can access provided credentials and exfiltrate data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README tells users to retrieve browser cookies for x.com and place AUTH_TOKEN and CT0 into a local .env file, but it does not warn that these are sensitive session credentials that may grant account access and can expose private data or enable account misuse if leaked. In a broadly distributed skill, normalizing manual extraction and storage of live web-session tokens increases the chance of credential theft, accidental commits, or unsafe sharing, especially because the setup targets a consumer social account rather than a narrowly scoped API key.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The instructions tell users to place Twitter/X authentication material in a local .env file without warning about the sensitivity of those tokens or safe storage practices. This can lead to credential leakage through accidental commits, overly permissive file access, logs, backups, or shared environments, especially in an automation-oriented skill that encourages CLI usage.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to extract and store Twitter/X authentication material (`auth_token` and `ct0`) from browser cookies, including granting Terminal Full Disk Access, but does not warn that these are sensitive session credentials equivalent to account access. In an agent-skill context, this is risky because users may place live tokens into local `.env` files, shell history, logs, or automated environments, increasing the chance of credential theft or account misuse.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The usage guide shows portfolio and watchlist commands that create, modify, and remove locally stored state without clearly warning users that these actions persist and can overwrite or delete data. In a financial-analysis skill, users may run example commands verbatim, so undocumented state-changing behavior can cause accidental loss or corruption of portfolio/watchlist data and unintended alert configuration changes.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script sends user-supplied tickers and portfolio holdings to multiple third-party services (Yahoo Finance, SEC EDGAR, Google News/CNN-derived sources) without clear, explicit disclosure in normal operation. In a portfolio-analysis context, holdings can reveal sensitive financial interests or strategies, so silent transmission creates a privacy and data-handling risk even if the values are only ticker symbols.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The code sends user-supplied ticker symbols to Yahoo Finance via yfinance without any user-facing notice or consent mechanism. While this is expected for a stock-analysis tool, it still creates a privacy/transparency issue because watchlists, portfolio interests, or niche securities/crypto queries may reveal sensitive investment intent to a third party.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Secrets from .env are loaded into the process and later inherited by the external 'bird' subprocess via os.environ.copy(), without clear user warning or minimization. This creates a plausible credential exposure path to third-party tooling that is unnecessary for most of the scanner's functionality.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code silently loads credentials from .env and later transmits them to an external CLI subprocess without clear user notice or limitation. In a skill marketed as stock analysis, that hidden credential access materially increases risk because users would not reasonably expect broad secret exposure to a third-party executable.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script invokes a third-party Bird CLI to search Twitter/X without making clear that environment-provided credentials may be used or exposed. Because the skill's apparent purpose is market scanning, undisclosed handoff to an external executable makes the behavior more dangerous than ordinary web requests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal