ClawHub

alphaear-reporter

Security checks across malware telemetry and agentic risk

Overview

This looks like a finance reporting skill, but it includes broad internet research, prediction-model workflows, external service use, and persistent database changes that are not clearly disclosed.

Review before installing. Use this only in an isolated workspace if you are comfortable with outbound finance/news/search requests, possible external LLM/model-provider calls, local database writes, and generated model/chart files. Avoid providing proprietary research targets, trading interests, or API keys unless those data flows are intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (28)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill metadata declares no permissions, yet the detected capability set includes environment access, file read/write, and network operations. This creates a trust and containment problem: an agent or reviewer may approve or invoke the skill assuming it is documentation-only, while linked components can access local data and external resources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is a constrained reporting skill, but the broader behavior includes web search, market/news ingestion, database storage, forecasting, model routing, and prediction-market access. This mismatch is dangerous because it obscures the true attack surface and data flows, making operators more likely to grant use in sensitive contexts without understanding that it can fetch external content, persist data, and perform autonomous analysis beyond report formatting.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The scanner prompt explicitly authorizes broad external data collection from news, market, prediction-market, sentiment, and web-search tools, which materially exceeds the skill's declared purpose of writing/editing financial reports and generating chart configurations. This scope expansion is dangerous because it can cause the skill to access and synthesize external intelligence without clear user expectation, policy gating, or least-privilege boundaries.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The evaluator prompt reframes the skill from summarizing/reporting into discovering tradable investment signals, including cross-border arbitrage opportunities. That is a substantive change in operational purpose and risk profile: it encourages analysis intended to generate investment intelligence rather than merely present user-supplied financial content.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
These instructions invoke web search, prediction-market ingestion, and sentiment analysis even though the stated skill purpose does not justify those capabilities. Unnecessary retrieval and enrichment paths increase attack surface, create opportunities for unintended data access and prompt injection via untrusted sources, and violate least-privilege expectations for a report-writing skill.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This toolkit exposes broad operational capabilities far beyond the manifest's stated purpose of drafting/editing financial reports and generating chart configurations. Capability overreach increases attack surface and makes it easier for an agent or prompt injection to invoke unnecessary network access, data retrieval, and state-changing actions that users would not reasonably expect from this skill.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
General-purpose web search gives the skill open-ended external reach that is not clearly justified by the declared functionality. In an agent setting, this broadens exfiltration and prompt-injection pathways because arbitrary queries can cause unbounded retrieval of remote content and behavior drift from the user's expected task.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The execute_query method accepts arbitrary SQL and runs it directly against the application's SQLite database, committing any non-SELECT statement. Even though parameters can be supplied separately, exposing unrestricted SQL execution enables destructive operations such as DROP, DELETE, UPDATE, schema changes, or data tampering if any upstream caller can influence the query string.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
The code loads a PyTorch checkpoint from disk using torch.load on a path selected from local files, and PyTorch deserialization can execute arbitrary code via pickle-based loading when the file is malicious. In a skill whose stated purpose is report generation, this hidden model-loading behavior increases risk because an attacker who can place or influence a .pt file in the expected directory could achieve code execution during evaluation.

Description-Behavior Mismatch

Low
Confidence
96% confidence
Finding
The SQL query is built with string interpolation using the ticker value directly, creating a SQL injection path if that parameter ever becomes user-controlled. Even though the current default ticker is hardcoded, the function signature accepts arbitrary input and the local SQLite context still allows unauthorized query manipulation against the stock_prices database.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file implements stock shock discovery, web/news collection, LLM-based causality verification, model training, and model export, which is materially outside the declared skill purpose of writing/editing financial reports and generating chart configurations. This scope mismatch is dangerous because it introduces undisclosed network access, autonomous data gathering, and predictive-model training capabilities that expand the attack surface and can violate user expectations and least-privilege boundaries.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code performs external web/news searches using stock tickers, company names, and dates, even though the skill is presented as a reporting tool rather than a research crawler. In this context, the mismatch makes the behavior more dangerous because users may not expect outbound queries containing sensitive workflow context, and the search capability could be repurposed for unauthorized data exfiltration or enrichment.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This section trains and saves a market prediction model, which is unrelated to the declared report-writing/chart-configuration role and significantly broadens the operational capability of the skill. In a mismatched skill context, hidden model training is risky because it consumes resources, creates opaque artifacts, and may enable unreviewed forecasting behavior that users and operators did not authorize.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
This file implements broad internet search, local news retrieval, result enrichment, and sentiment analysis, which materially exceeds a narrowly described report-writing/chart-generation skill. Even if intended to improve report quality, this expands the skill's data-access surface and can cause collection and processing of third-party or sensitive information without clear scope controls.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The engine registry enables general-purpose DuckDuckGo, Baidu, and local news database access for a skill presented as a financial reporting assistant. That mismatch increases the chance of overcollection, policy bypass, or unreviewed data sourcing, especially when the tool can query arbitrary topics unrelated to the declared purpose.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The context manager deliberately unsets proxy-related environment variables before retrying network requests, which changes the host's configured network routing and can bypass organizational monitoring, egress controls, or security inspection. In an agent skill, altering global process environment for network behavior is risky because it affects trust boundaries beyond the function's stated reporting purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The generated HTML unconditionally loads JavaScript from https://viewer.diagrams.net/js/viewer-static.min.js at view time, creating a supply-chain and privacy risk. Anyone opening the exported file will execute third-party remote code in their browser and may leak access metadata or be exposed if the CDN/script is compromised.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The tool fetches arbitrary user-supplied URLs over the network without visible safeguards or disclosure. This can enable SSRF-style access to internal services or sensitive endpoints, and can also leak network metadata or retrieve hostile content into the agent context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This function performs persistent database writes by enriching and updating stored news content, but the interface does not make the state-changing behavior explicit to the user. Hidden mutation is risky in agent workflows because a model can trigger durable changes unintentionally or due to prompt injection, corrupting or altering local records.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The batch sentiment updater overwrites or updates stored sentiment fields in the database without a clear warning that records will be modified. In an agent environment, concealed persistent writes can lead to accidental bulk changes, poisoning of downstream analytics, or unauthorized modification of business data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This finding is valid for the same core reason as the arbitrary SQL issue: the method exposes unrestricted SQL execution without any guardrails, limiting, or warning. In the context of a report-writing skill, such a capability is especially unjustified and increases the chance that prompt- or tool-influenced input could trigger data destruction or tampering.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
torch.load deserializes a checkpoint with Python pickle semantics, which is unsafe for untrusted files and can lead to arbitrary code execution at load time. Because the path can be chosen automatically from the newest .pt file in exports/models, a malicious or tampered checkpoint dropped into that directory could be loaded without validation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code falls back to downloading external embedding and Kronos models if local cache is unavailable, but only logs this internally rather than surfacing clear user-facing disclosure or trust controls. This is risky because it introduces supply-chain and privacy exposure through unannounced network access and execution of externally sourced model artifacts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The search queries send stock/date/company context to an external engine without clear user disclosure or consent. While the data may not always be highly sensitive, in enterprise or proprietary analysis workflows this can leak research targets, trading interests, or internal focus areas to third parties.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Collected search-result content is packaged into a prompt and sent to an external LLM for causality verification without explicit disclosure. This increases data-sharing risk because third-party model providers may receive and retain contextual market research data, and the behavior is especially problematic in a skill that is supposed to focus on report authoring rather than autonomous external analysis.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal