ClawHub

Fund News Summary

Security checks across malware telemetry and agentic risk

Overview

This skill does summarize fund news, but it also automatically saves, sends, commits, pulls, and pushes reports with broad GitHub side effects that users should review carefully.

Install only if you explicitly want an unattended daily market report that may be sent to Telegram, saved under /root/clawd/obsidian-vault, and pushed to a GitHub repository. Before enabling it, confirm the Telegram recipient, the repository origin, credentials, branch, cron disable path, and change the git sync to stage only the generated report or require approval before pushing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 先提交本地更改
            logger.info("正在提交本地更改...")
            subprocess.run(["git", "add", "-A"], check=False)
            commit_result = subprocess.run(
                ["git", "commit", "-m", f"Update fund report {today_str}"],
                capture_output=True, text=True
Confidence
93% confidence
Finding
subprocess.run(["git", "add", "-A"], check=False)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 先提交本地更改
            logger.info("正在提交本地更改...")
            subprocess.run(["git", "add", "-A"], check=False)
            commit_result = subprocess.run(
                ["git", "commit", "-m", f"Update fund report {today_str}"],
                capture_output=True, text=True
            )
Confidence
91% confidence
Finding
commit_result = subprocess.run( ["git", "commit", "-m", f"Update fund report {today_str}"], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 获取远程更新 (使用 merge 策略)
            logger.info("正在同步 GitHub 仓库...")
            pull_result = subprocess.run(
                ["git", "pull", "origin", "master", "--no-rebase"],
                capture_output=True, text=True
            )
Confidence
95% confidence
Finding
pull_result = subprocess.run( ["git", "pull", "origin", "master", "--no-rebase"], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
logger.warning(f"拉取远程更新失败: {pull_result.stderr}")
            
            # 推送
            push_result = subprocess.run(
                ["git", "push", "origin", "master"],
                capture_output=True, text=True
            )
Confidence
96% confidence
Finding
push_result = subprocess.run( ["git", "push", "origin", "master"], capture_output=True, text=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes a local Python script, writes files, uses networked destinations, and performs shell-capable operations, yet no explicit permissions are declared. This creates hidden authority: an agent or reviewer may believe the skill is read-only news summarization when it can persist data and transmit content externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is passive news collection and summarization, but the skill also stores reports locally, sends output to Telegram, and auto-pushes content to GitHub. This mismatch is dangerous because it hides data persistence and exfiltration behaviors behind an innocuous description, undermining informed consent and security review.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest presents the skill as a market-news summarizer, while the body documents persistent storage in an Obsidian vault and automatic publication to GitHub. Hidden persistence and publication expand the trust boundary and can expose generated content or derived sensitive context beyond what users expect.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Automatically pushing generated content to GitHub is not necessary for providing a news summary and introduces an external publication channel. If the generated report contains sensitive notes, prompts, internal context, or unexpected data, it may be published or synced without adequate review.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill writes generated output to a local Obsidian vault without this persistence being part of the stated skill behavior. This creates an undisclosed side effect on the host filesystem and may expose private notes, overwrite expected content, or leave sensitive financial summaries behind in a user data store.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill performs git synchronization to GitHub, which materially exceeds a fund-news summary tool's declared scope and introduces unauthorized remote data transfer. Because this runs automatically after report generation, users may have no opportunity to review what is being published or whether unrelated repository contents are included.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Executing local subprocesses for git repository manipulation is not justified by the stated purpose of summarizing market news, and grants the skill filesystem and remote-sync side effects far beyond user expectations. In an agent setting, unnecessary command execution materially increases the attack surface and blast radius of prompt or data mistakes.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases are broad enough to match ordinary financial-news requests, which can cause the skill to run automatically in contexts where the user only wanted a conversational answer. Because the skill has side effects like Telegram sending and file/repo writes, overbroad activation increases the chance of unintended execution and data transmission.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description does not clearly warn users that it writes files and automatically pushes generated content to GitHub. Missing disclosure prevents informed consent and can lead to unexpected persistence or publication of content derived from user requests or internal context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow instructs the agent to send script output directly to Telegram without a clear user warning in the skill description. Any external messaging step is a data egress channel, and silent transmission increases the risk of leaking generated content or embedded contextual data to third-party services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill writes a markdown report to disk without prior disclosure or confirmation, violating the principle of transparent, user-approved side effects. In context, a news-summary skill is expected to return text, not silently persist artifacts into a personal knowledge base directory.

Missing User Warnings

High
Confidence
98% confidence
Finding
The automatic git add/commit/pull/push sequence performs impactful local and remote actions without explicit warning or user approval. This is dangerous because it can publish data externally, mutate repositories, and capture unrelated changes under the guise of a simple reporting task.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal