ClawHub

finstep-tools

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate financial-data skill, but it handles the required API signature unsafely by sending it in URL parameters over plain HTTP.

Use the Review bucket here: install only if you trust FinStep and accept that your financial queries and FINSTEP_SIGNATURE will be sent to its service. Treat FINSTEP_SIGNATURE as a secret, avoid confidential queries or private URLs, and prefer a version that uses HTTPS and sends credentials in an Authorization header or managed secret store.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documents direct shell execution of multiple scripts (`bash scripts/*.sh ...`) but does not declare corresponding permissions or execution scope. This creates a trust and review gap: an agent or user may approve the skill based on metadata that understates its real capabilities, increasing the chance of unintended command execution or unsafe handling of parameters and environment data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
78% confidence
Finding
The documented purpose is financial data access, but the static analysis indicates additional generic capabilities such as arbitrary URL parsing and web search that are not disclosed in the main description. Hidden or under-described capabilities broaden the skill's operational scope and can enable unexpected data exfiltration, remote content retrieval, or prompt-surface expansion beyond what a user intended to authorize.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script exposes a generic `url_parse` capability that can fetch and process arbitrary user-supplied URLs, which is broader than the declared financial-data scope. In an agent context, this increases the risk of unintended external access, including SSRF-style access to internal resources or retrieval of non-financial content through the remote MCP service.

Vague Triggers

Medium
Confidence
73% confidence
Finding
The trigger conditions are broad enough that the skill may activate for many general finance-related requests without clear limits. Overbroad activation increases the chance that user prompts and sensitive financial interests are unnecessarily routed to external scripts and services, especially in an agentic environment where tool selection is automatic.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs the operator to print and export `FINSTEP_SIGNATURE`, effectively handling an API credential in plain shell environment context without any warning about secrecy, logging, shell history, or process exposure. Credentials placed in environment variables and echoed to terminal can be leaked through logs, transcripts, debugging output, or inherited subprocesses, enabling unauthorized API use.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The skill sends financial queries to a remote HTTP endpoint without an explicit privacy or network warning, and the base URL shown is plain `http://`. Even if the data appears non-secret, user queries can reveal investment interests or proprietary research topics, and transmitting them without clear notice or transport security increases privacy and interception risk.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script silently sends request data to a remote endpoint without any user-facing disclosure, which can cause users or upstream agents to unintentionally transmit queried data off-box. In a tool/agent environment, lack of transparency about outbound transmission is a real security and privacy concern, especially when requests may include user-provided parameters.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
A sensitive credential is loaded from `FINSTEP_SIGNATURE` and embedded in the request URL query string, which increases exposure through logs, process monitoring, proxy logs, and server access logs. The issue is compounded by the absence of disclosure that this credential is used in outbound requests to a remote service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends requests to an HTTP endpoint and places the FINSTEP_SIGNATURE secret in the URL query string, which exposes both financial query contents and the authentication token to network observers, proxies, logs, and monitoring systems. In a financial-data skill, users may reasonably expect stock/company queries and credentials to be handled securely, so silent transmission over cleartext materially increases risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script consumes FINSTEP_SIGNATURE from the environment and transmits it on every request without any isolation or masking, and because it is appended to the URL it is especially likely to leak via shell history, process inspection, reverse proxies, and server access logs. Exposure of this token could allow unauthorized use of the backend financial service and possible access abuse under the operator's identity.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script sends the authentication signature as a URL query parameter over plain HTTP, which makes the credential more likely to be exposed via proxies, logs, monitoring systems, or network interception. There is also no user-facing disclosure that executing the skill will transmit a credential to an external service, increasing the chance of unintended secret leakage.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends the FINSTEP_SIGNATURE credential as a URL query parameter in an outbound HTTP request. Query parameters are commonly exposed in logs, proxy records, browser/history tooling, and monitoring systems, which increases the chance of credential leakage; the risk is amplified because the endpoint uses plain HTTP rather than HTTPS.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script transmits a sensitive credential (`FINSTEP_SIGNATURE`) in the URL query string to an `http://` endpoint, along with user-supplied financial query data. Plain HTTP provides no transport encryption, and placing the credential in the URL further increases exposure through logs, proxies, browser/history equivalents, and intermediary monitoring, making credential theft and request tampering feasible.

External Transmission

Medium
Category
Data Exfiltration
Content
local tool="$1"
    local params="$2"
    
    curl -s -X POST "${BASE_URL}?signature=${SIGNATURE}" \
        -H "Content-Type: application/json" \
        -H "Accept: application/json, text/event-stream" \
        --max-time 30 \
Confidence
97% confidence
Finding
curl -s -X POST "${BASE_URL}?signature=${SIGNATURE}" \ -H "Content-Type: application/json" \ -H "Accept: application/json, text/event-stream" \ --max-time 30 \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal