ClawHub

test-0612

Security checks across malware telemetry and agentic risk

Overview

This finance-analysis skill appears legitimate, but its optional Twitter/X features ask for sensitive session access and broad local permissions without enough safeguards.

Review before installing if you plan to use Twitter/X integration. Avoid granting Full Disk Access unless you fully understand the privacy impact, use a dedicated or low-risk X account if possible, keep AUTH_TOKEN and CT0 out of source control and logs, and consider using --no-social or skipping bird if you only need market/news analysis. Treat portfolio and watchlist files as sensitive because they can reveal holdings, cost basis, and alerts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for category, query in searches:
                try:
                    env = os.environ.copy()
                    result = subprocess.run(
                        [bird_bin, "search", query, "-n", "15", "--json"],
                        capture_output=True, text=True, timeout=30, env=env
                    )
Confidence
93% confidence
Finding
result = subprocess.run( [bird_bin, "search", query, "-n", "15", "--json"], capture_output=True, text=True, timeout=30, env=env

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The script claims to use Yahoo Finance data, but it also pulls data from Google News RSS, CNN Fear & Greed, and SEC EDGAR. In an agent-skill context, undisclosed outbound network access to additional third parties changes the trust boundary and can expose user queries, usage patterns, IP metadata, and operational context to services the user did not expect.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The script claims to use Yahoo Finance data, but it also pulls data from Google News RSS, CNN Fear & Greed, and SEC EDGAR. In an agent-skill context, undisclosed outbound network access to additional third parties changes the trust boundary and can expose user queries, usage patterns, IP metadata, and operational context to services the user did not expect.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Invoking an external CLI for Twitter/X collection gives this skill an unjustified execution primitive relative to its stated purpose of market analysis. In an agent-skill setting, this is more dangerous because the skill can trigger local process execution and potentially leverage any credentials or configuration available to that CLI.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script automatically loads a repository-level `.env` file into process environment variables before scanning, which broadens credential exposure beyond what is needed for a trend scanner. This becomes particularly risky because those variables are later inherited by a subprocess, creating a path for unrelated secrets to be consumed or leaked by external tooling.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code loads all key/value pairs from a local .env file into process environment variables, then later forwards the environment to an external CLI. That expands the external tool's access to credentials or unrelated secrets, creating unnecessary exposure if the CLI is compromised, logs its environment, or behaves unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The scanner executes an external Bird CLI binary to perform Twitter/X searches, which introduces dependency on opaque code outside this script's control. In the skill context this is somewhat justified by social-signal analysis, but it still expands the attack surface because a compromised or replaced binary would run with this script's privileges and inherited environment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README directs users to place live Twitter/X authentication tokens in a `.env` file and explains how to extract them from browser cookies, but it does not warn that these are sensitive credentials that must be protected, excluded from version control, and never shared. This creates a realistic risk of accidental credential leakage through commits, screenshots, logs, or support requests, which could enable unauthorized access to the user's Twitter/X session.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to place authentication tokens in a `.env` file without any handling guidance, storage restrictions, or warnings about accidental exposure. This creates a realistic path to credential leakage through source control, shared directories, logs, or overly broad file access by other tools on the same system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The concept document explicitly says the tool produces clear BUY / HOLD / SELL signals before presenting a strong, prominent financial-risk warning in the same context. In an investment-focused skill, recommendation-style language can cause users to over-trust outputs as actionable advice, increasing the chance of financial harm if the signals are wrong or misunderstood.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to grant Terminal Full Disk Access so bird CLI can access browser cookies, but it does not warn that this permission enables broad access to sensitive local data beyond just Twitter/X authentication material. In a finance-related skill that also encourages automation and credential handling, this creates unnecessary risk of over-privileged access and accidental exposure of private files or session data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation tells users to manually extract Twitter/X session tokens and store them in a local .env file or environment variables without emphasizing that these are highly sensitive account credentials. If mishandled, committed to source control, logged, or read by other local processes, the tokens could allow account takeover or abuse of the user's Twitter/X session.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The portfolio examples instruct users to create portfolios and add holdings without clearly warning that these commands persist financial data and modify local state. In an agent or automation context, a user may believe they are running a read-only analysis and unintentionally create or alter stored portfolio records, which can affect later outputs, alerts, and decisions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The watchlist examples show add, check, and remove workflows without disclosing that they store and update persistent watchlist and alert state. This can mislead users or downstream agents into performing state-changing operations when they expect informational output only, causing unwanted alerts, overwritten settings, or deletion of tracked items.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Portfolio mode reads local portfolio holdings and cost basis data, which are sensitive financial details, without any explicit privacy disclosure at the point of use. In a skill setting, users may invoke analysis expecting market lookups, not local financial profile access, so this can lead to over-collection and unintended exposure of personal investment data in outputs, logs, or downstream tooling.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal