ClawHub

A Stock Analyst.Bak

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill uses disclosed Eastmoney data services and can manage watchlists, which fits its stated purpose but needs careful use around account-linked data.

Install only if you trust this publisher and the auto-installed dependent skills. Use a dedicated Eastmoney/Miaoxiang API key if possible, assume queries and watchlist actions are sent to Eastmoney, and confirm any watchlist or monitoring changes before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The keyword list includes broad terms such as '投资', '理财', and especially '副业', which can match ordinary conversation and cause this skill to trigger outside a clear stock-analysis intent. Overbroad activation increases the chance of unintended invocation of finance-related actions, including watchlist access, monitoring setup, or data queries that the user did not explicitly request.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises viewing and managing self-selected stocks and setting alerts/monitors, but it does not clearly warn users that these operations may change persistent user data. In a finance context this is more sensitive because accidental additions, removals, or alert creation can alter a user's portfolio workflow and produce misleading notifications or missed monitoring.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill forwards user-provided queries to a remote third-party API without any visible disclosure, consent flow, or data-handling notice. This creates a privacy and transparency risk because users may unknowingly transmit sensitive portfolio, research, or trading-related information off-platform.

Missing User Warnings

High
Confidence
95% confidence
Finding
The watchlist management method sends free-form instructions to a remote endpoint that can add or delete self-selected stocks without a confirmation step. In an agent setting, ambiguous or manipulated input could trigger unintended destructive changes to a user's watchlist, affecting monitoring and downstream trading decisions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal