ClawHub

chan-stock-analysis

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill is disclosed as a market tool, but it automatically saves and uploads outputs to Baidu Cloud when configured, so users should review it before installing.

Install only if you intentionally want this skill to use local knowledge-base folders and Baidu Cloud sync for financial-analysis outputs. Before running it, review or disable bypy uploads/downloads, set Obsidian paths deliberately, replace or remove embedded API credentials, and avoid automatic unpinned dependency installs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 上传到百度云
    try:
        remote_chart = f"/knowledge/{date_str}/{date_str}_{time_str}_{code}_czsc_chart.png"
        result = subprocess.run(
            ['bypy', 'upload', obsidian_chart, remote_chart],
            capture_output=True,
            timeout=60
Confidence
97% confidence
Finding
result = subprocess.run( ['bypy', 'upload', obsidian_chart, remote_chart], capture_output=True, timeout=60 )

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill extends from analysis into automatic persistence and cloud synchronization of reports and charts. That expansion is risky because user queries, derived financial analysis, and potentially sensitive local context are stored and uploaded by default, increasing exposure beyond what is necessary to answer a request.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The auto-install workflow clones a remote repository and installs packages at runtime, introducing arbitrary code execution and supply-chain risk unrelated to routine analysis. If the upstream repository or dependencies are compromised, the environment running the skill could execute attacker-controlled code.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The module adds cloud persistence features—uploading reports/charts and downloading historical data from Baidu Netdisk—that exceed the stated stock-analysis purpose and create an additional data-exfiltration/storage channel. In an agent context, hidden or unnecessary external persistence is dangerous because analysis outputs and possibly locally available files can be copied to a third-party cloud account without clear user intent.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Invoking an external CLI for cloud-drive operations introduces a capability not required for core market analysis and expands the skill's attack surface. In an agent environment, this enables outbound file movement and dependency on a locally installed tool/account, which can be abused for unauthorized data transfer or persistence if higher-level inputs influence file paths or remote destinations.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill presents itself as a market-analysis tool, but it also persists generated reports locally and uploads them to Baidu Netdisk automatically. That creates an undisclosed data exfiltration path and violates least surprise: analysis output and potentially sensitive context leave the local environment without explicit approval.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code embeds full Baidu Netdisk CLI integration, including listing, downloading, and uploading remote files, which is unrelated to the core purpose of stock analysis. In agent contexts, extra file-transfer capability materially increases the blast radius: it can move data off-host or pull in untrusted remote content without clear necessity or user consent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill reads from local Obsidian knowledge-base directories even though pure market analysis does not require access to unrelated local notes. This broadens local data exposure and may unintentionally ingest or leak sensitive user information through later reporting or upload steps.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The code uses an embedded Tushare API token, showing undisclosed third-party credential use beyond the advertised skill behavior. Hardcoded credentials are easily leaked, reused, or abused, and they couple the skill artifact itself to a live external account.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
A chart-drawing utility is expected to render output, but this function also persists files into an Obsidian vault and attempts remote upload. Those side effects exceed the declared visualization purpose and can store or disclose potentially sensitive market analysis artifacts in locations the user did not explicitly approve.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Invoking an external uploader from a stock-analysis chart script introduces unnecessary command-execution and network-transfer capability. In this skill context, automatic cloud upload is more dangerous because the tool is supposed to analyze and visualize financial data, not export it to third-party storage by default.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script dynamically loads a local config module to obtain an external API endpoint and token, then sends requests to a third-party service that is outside the declared akshare/futu data-source strategy. This creates an undeclared outbound data dependency and secret-handling path, which can enable data exfiltration to an unexpected endpoint or use of unvetted infrastructure if the config is altered or the endpoint is untrusted.

Vague Triggers

High
Confidence
89% confidence
Finding
The trigger phrases are broad enough to activate during normal conversation, which can cause the high-privilege skill to run unexpectedly. In this context, accidental activation is dangerous because the skill can perform network access, file operations, and persistence/sync actions without the user intending to invoke those capabilities.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to match normal user conversation, which can cause unintended invocation of the skill. In an agent environment, accidental routing can expose user prompts, override more appropriate skills, or cause unrequested financial-analysis behavior to run with higher priority than intended.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
Forcing Chinese-language triggers and descriptions without user opt-in can cause misrouting or exclusion of users in mixed-locale environments. While not a direct exploit primitive, it can undermine correct intent matching and transparency, especially if the skill has very high priority and activates based on language-specific phrases the user did not knowingly select.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded credential is transmitted to the Tushare API with no disclosure or consent flow. This is dangerous because source-distributed secrets are recoverable by anyone with code access, enabling unauthorized API use, quota theft, and possible account compromise.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The report is uploaded to Baidu Netdisk automatically once bypy is authenticated, without asking the user at runtime. Even if the report is only analysis output, automatic remote transfer is a privacy and data-governance risk, especially because the skill also reads local knowledge-base content and may incorporate it indirectly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script copies output into a configured Obsidian directory without warning or runtime consent. This can leak generated content into a persistent knowledge repository, which is especially risky when users expect a temporary local chart and may not know the configured vault path.

Missing User Warnings

High
Confidence
99% confidence
Finding
Automatically uploading the generated chart to Baidu Cloud without prior warning or consent is a clear data-exfiltration risk. In the context of a financial-analysis skill, this is especially sensitive because outputs may reveal trading interests, watched symbols, or proprietary analysis workflows.

Ssd 3

Medium
Confidence
90% confidence
Finding
Persisting user-provided conclusions into a reusable knowledge base creates cross-session data retention and possible prompt/data poisoning. A malicious or mistaken user could seed false conclusions that influence future analyses, while benign users may not expect their inputs to be stored for reuse.

Ssd 3

Medium
Confidence
94% confidence
Finding
Saving generated artifacts to local and cloud storage by default creates unnecessary retention and data dissemination. Even if the content is only analysis output, it may contain user-supplied identifiers, proprietary watchlists, or inferred strategy details, and default upload broadens exposure significantly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal