ClawHub

0608-tosr2-02

Security checks across malware telemetry and agentic risk

Overview

The skill’s finance features are coherent, but its Twitter/X integration asks users to handle sensitive session cookies and forwards broad environment secrets to an external CLI with insufficient safeguards.

Review before installing. The core finance analysis appears purpose-aligned, but avoid enabling Twitter/X integration unless you are comfortable giving this skill and the bird CLI access to sensitive X session credentials. Use a dedicated low-privilege account, keep .env out of version control, do not store unrelated secrets in the skill .env, and prefer --no-social for hot scans when social data is not needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for category, query in searches:
                try:
                    env = os.environ.copy()
                    result = subprocess.run(
                        [bird_bin, "search", query, "-n", "15", "--json"],
                        capture_output=True, text=True, timeout=30, env=env
                    )
Confidence
91% confidence
Finding
result = subprocess.run( [bird_bin, "search", query, "-n", "15", "--json"], capture_output=True, text=True, timeout=30, env=env

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The scanner reads every key-value pair from a local `.env` file and injects them into `os.environ` even though its stated purpose is stock/crypto trend scanning. This creates unnecessary credential exposure in-process and increases the blast radius when combined with external network calls and subprocess execution later in the file.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Invoking an external Twitter/X CLI is an unnecessary execution capability for a content-scanning skill and materially increases risk. In this file, that risk is amplified because the subprocess receives environment variables populated from `.env`, enabling credential leakage or abuse if the CLI is compromised or behaves unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script loads every key/value pair from a local .env into process environment variables and then later forwards that environment to an external CLI. This creates unnecessary credential exposure risk because unrelated secrets can become accessible to a third-party binary, which is broader than needed for stock-rumor scanning.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README instructs users to extract AUTH_TOKEN and CT0 values from browser cookies for x.com and place them into a local .env file, which are effectively session credentials rather than ordinary API keys. This increases the chance of account takeover, unintended reuse of personal session tokens, and unsafe handling or exfiltration by the skill or surrounding tooling, especially because the guidance does not prominently warn that these secrets grant account access and should not be shared, logged, or committed.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation instructs users to place Twitter/X authentication tokens in a `.env` file but does not provide clear guidance on secure storage, file permissions, exclusion from version control, or the risks of credential reuse and leakage. In a skill that also uses shell commands and external tools, poorly handled tokens could be exposed through logs, accidental commits, insecure file locations, or other local process access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly instructs users to extract Twitter/X session secrets (`auth_token` and `ct0`) from browser cookies and store them in a local `.env` file or environment variables, but it does not warn that these are highly sensitive session credentials equivalent to account access. If mishandled, logged, committed, shared, or reused on multi-user systems, they could enable unauthorized access to the user's Twitter/X account and associated data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends user-supplied tickers and portfolio-derived holdings to external services such as Yahoo Finance, Google News RSS, and SEC EDGAR without a clear, explicit user-facing privacy notice at runtime. In the context of a portfolio-analysis skill, that matters because portfolio contents can reveal sensitive investment positions, and users may not realize their holdings are being disclosed to third parties during analysis.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Loading all values from `.env` into the process without any user-visible disclosure or minimization means the skill silently gains access to potentially unrelated credentials. That is dangerous because the same process also performs outbound requests and launches a subprocess, creating multiple paths for accidental or malicious secret exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code reads all entries from a local .env file into runtime environment variables without scoping or warning, increasing the chance that secrets unrelated to this feature are accessed and later inherited by subprocesses. In a skill context, this is more dangerous because skills often run in shared automation environments containing API keys, tokens, or service credentials.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal