ClawHub

0608-tosr2-01

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill generally matches its purpose, but it needs review because it asks users to handle sensitive X/Twitter session cookies and stores financial/social scan data locally with limited safety guidance.

Install only if you are comfortable with a finance tool that contacts multiple third-party data sources, stores portfolio/watchlist and scan results on disk, and may use sensitive X/Twitter session cookies for optional social scanning. Treat AUTH_TOKEN and CT0 like account passwords, keep .env out of source control, prefer skipping social scans with --no-social unless needed, and periodically inspect or delete the local portfolio/watchlist/cache files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for category, query in searches:
                try:
                    env = os.environ.copy()
                    result = subprocess.run(
                        [bird_bin, "search", query, "-n", "15", "--json"],
                        capture_output=True, text=True, timeout=30, env=env
                    )
Confidence
90% confidence
Finding
result = subprocess.run( [bird_bin, "search", query, "-n", "15", "--json"], capture_output=True, text=True, timeout=30, env=env

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation makes conflicting claims: it says the system produces clear BUY / HOLD / SELL signals and recommendations, while later disclaiming that it is not a source of trading signals. This can mislead users about the nature of the output, weaken informed consent, and create compliance, trust, and safety risks in a financial decision-support context.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This function goes beyond passive stock analysis and invokes a third-party CLI with inherited environment variables, which may include API tokens or other secrets loaded earlier from `.env`. In the context of a stock-analysis skill, that capability is unusually powerful and increases the risk of secret exposure or unintended external actions through the CLI.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code reads arbitrary key/value pairs from a local .env file and injects them into the process environment before invoking an external CLI. This broad credential loading increases the chance that unrelated secrets are exposed to the child process or misused by the external tool, especially because the code copies the full environment rather than only required variables.

Description-Behavior Mismatch

Low
Confidence
77% confidence
Finding
The scanner persists collected tweets, rumor text, author handles, links, and symbol associations to a cache file on disk. Even if sourced from public content, storing aggregated social-monitoring data locally can create privacy, retention, and disclosure concerns if other users or processes can access the cache.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The plan explicitly includes Mixpanel/Amplitude and Sentry but does not mention any user-facing notice, consent flow, or privacy controls around collection of usage analytics and diagnostic telemetry. In a consumer finance app, this can expose sensitive behavioral and portfolio-related metadata to third-party processors and create privacy/compliance risk, especially under GDPR/CCPA and app-store disclosure requirements.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README tells users to extract live Twitter/X session cookies (`AUTH_TOKEN` and `CT0`) from browser developer tools and store them in a `.env` file, but it does not warn that these values are highly sensitive credentials that can grant account access. In the context of an agent skill with automation and third-party CLI integration, this encourages unsafe handling of bearer-like secrets and increases the risk of account takeover if the tokens are exposed through logs, shell history, backups, source control, or local compromise.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The description is broad enough to match general finance conversations, which can cause the skill to be invoked in contexts the user did not clearly request. Because the skill can run scripts, access networks, and write local portfolio/watchlist data, over-broad triggering increases the chance of unintended data access or side effects.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that portfolio and watchlist information is stored under a persistent local path, but it does not clearly warn users that personal financial preferences and holdings may be retained on disk. In a finance context, that persistence is sensitive because it can expose investment positions, targets, and trading behavior to other local users or later processes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to place Twitter/X authentication tokens in a .env file without warning about token sensitivity, storage risks, or least-privilege handling. Exposed auth tokens can enable account misuse, scraping under the user's identity, or leakage through logs, shell history, backups, or shared working directories.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly instructs users to obtain Twitter/X session credentials from browser cookies and place them in a local .env file or shell environment, but it does not warn that these values are effectively account secrets. Auth tokens and ct0 values can enable unauthorized access if exposed through shell history, checked-in files, logs, screenshots, or multi-user systems, making credential theft and account misuse more likely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script makes multiple outbound network requests to third-party services, including Yahoo Finance, Google News RSS, CNN Fear & Greed, and SEC EDGAR, without a clear user-facing privacy or egress notice. In an agent/skill context, this can leak user interest, portfolio holdings, and analysis targets to external providers, which is a real privacy and operational-security risk even if no code execution occurs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script silently loads every key/value from a local `.env` into process environment variables with no scoping or disclosure. This becomes dangerous because later code forwards the environment to an external subprocess, potentially exposing credentials unrelated to this feature.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script can execute an external command (`bird`) without a clear warning that running the skill may launch local binaries and contact additional external services. For an analysis skill, hidden command execution is a meaningful trust and safety concern.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal