ClawHub

simontest-1

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill is mostly coherent, but its optional Twitter/X features ask for sensitive session tokens and broad local access without enough containment or warnings.

Install only if you are comfortable with the optional social-media features. Avoid enabling Twitter/X scanning unless you understand that AUTH_TOKEN and CT0 can grant account-session access; do not grant Terminal Full Disk Access or store tokens in a shared or committed .env. The core stock and portfolio features look purpose-aligned, but the social credential handling should be tightened before routine use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill instructs users to install third-party Twitter/X tooling and supply authentication tokens, expanding the trust boundary beyond the stated finance-analysis purpose. This can expose users to credential theft, account misuse, or over-privileged social-media access, especially because the tool and token handling are not constrained or audited in the skill documentation.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The manifest description frames the skill as using Yahoo Finance data, but the body describes broad aggregation from Google News, CoinGecko, Twitter/X, SEC, and rumor scraping. This mismatch can mislead users and reviewers about the actual data flows and risk profile, reducing informed consent and making it easier to hide higher-risk collection or automation behaviors behind a narrower description.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documentation expands the skill beyond passive Yahoo-Finance-style market analysis by instructing users to install an external CLI and supply Twitter/X authentication material, including manually extracted session tokens. That creates an unnecessary credential-handling path and increases the attack surface through third-party tooling and account access, especially since the social source is optional rather than core to the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This skill performs trend scanning by HTTP, but the Twitter/X path additionally executes an external CLI that is outside the script's trust boundary. That expands attack surface materially: a trojaned bird binary, unexpected CLI behavior, or local environment side effects could lead to secret exposure or arbitrary outbound access not obvious from the skill description.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script loads arbitrary key-value pairs from a local .env file into process environment variables, then later forwards the environment to an external CLI. This creates a credential-exposure path in which unrelated secrets present in .env may be made available to another program without clear scoping or necessity for simple stock analysis.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The roadmap explicitly plans push notifications, product analytics, behavioral metrics, and tracking tools, but the document does not pair those features with clear user-facing consent, disclosure, or opt-in/opt-out requirements. In a consumer finance app, this increases privacy and compliance risk because usage patterns, portfolio behavior, and notification preferences can reveal sensitive financial interests.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to place live X/Twitter session cookies (`AUTH_TOKEN` and `CT0`) into a local `.env` file and obtain them from browser DevTools, but it does not warn that these are sensitive authentication secrets equivalent to an active session. In a skill ecosystem where users may share directories, logs, backups, or accidentally commit files, this guidance increases the risk of credential leakage and account/session takeover.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation tells users to place authentication material in a .env file but provides no warning about the sensitivity of AUTH_TOKEN and CT0, no storage guidance, and no precautions against accidental exposure. In practice, this increases the chance of token leakage through shell history, repo commits, logs, backups, or insecure local permissions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup tells users to grant Terminal Full Disk Access and to copy sensitive auth_token and ct0 values into a .env file or environment variables without any warning about credential theft, session hijacking, local secret exposure, or the broad privacy implications of disk access. In the context of an agent skill, these instructions are especially risky because users may follow them to enable optional functionality, exposing unrelated browser data and account sessions.

Missing User Warnings

Low
Confidence
71% confidence
Finding
The code makes outbound SEC EDGAR requests and sets a fixed identity string without clearly informing the user at runtime that an external service will be contacted. In agent or enterprise environments, undisclosed network access can violate user expectations, leak usage metadata, and create compliance issues even if the requested data is public.

Natural-Language Policy Violations

Medium
Confidence
74% confidence
Finding
Hard-coded Google News RSS requests to a specific US-English locale perform outbound requests and impose a geography/language choice without user consent. In a skill context, that can create unexpected data flows, reduce transparency, and cause users to rely on analysis shaped by hidden regional defaults.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script implicitly loads credentials from .env and passes them to an external CLI without user-facing disclosure or consent. This is dangerous because users may not realize secrets are being consumed and potentially transmitted to an external service, increasing the chance of unintended credential exposure.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal