ClawHub

alphaear-sentiment

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a finance sentiment analyzer, but it includes broader local database mutation and generic SQL/LLM utility code that is not clearly scoped in the skill instructions.

Review before installing. Use it only in an environment where it is acceptable for the skill to write to its local SQLite database, and avoid exposing unrelated database paths or API keys. Prefer a local cached/pinned model, verify LLM endpoint environment variables, and do not let untrusted input reach the generic SQL helper or bulk update path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is limited to sentiment analysis, but the detected behavior includes broad database persistence, arbitrary SQL execution, caching, stock/investment signal storage, and LLM routing/tool-calling. This creates a dangerous trust gap: users and reviewers may authorize a seemingly low-risk NLP skill that actually has materially broader data access and mutation capabilities, increasing the chance of hidden data tampering, unauthorized persistence, or abuse of arbitrary query functionality.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The execute_query method accepts arbitrary SQL and runs it against the application's SQLite database, committing non-SELECT statements as well. If any upstream caller can influence the query string, this enables unauthorized reads, modification, or deletion of all stored data and defeats the otherwise safer parameterized-query pattern used elsewhere in the file. In the context of a sentiment-analysis skill, this capability is unjustified and materially increases risk because the module stores broad operational and financial datasets.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file implements generic LLM capability probing, including tool-calling tests, which is outside the stated purpose of a finance sentiment analysis skill. This kind of scope drift expands the attack surface by causing unintended model interactions and external/tool execution paths that users would not expect from a sentiment analyzer.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code actively tests whether a model can perform native tool calling by creating an agent with a callable tool and executing a prompt. For a finance sentiment analyzer, this is unnecessary and risky because it normalizes tool invocation behavior and may trigger tool-execution paths, provider-side logging, or unintended side effects unrelated to the advertised function of the skill.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The router accepts provider, model ID, and host from environment variables and passes them into model construction, which allows deployment-time redirection to arbitrary external LLM endpoints. In a finance-sentiment skill, this expands the trust boundary beyond the declared purpose and can cause sensitive prompts or data to be sent to unapproved services, especially if `LLM_HOST` or related variables are attacker-controlled or misconfigured.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
When the model is not present locally, the code automatically downloads a transformer model from the network based on an environment-controlled identifier. This introduces supply-chain and trust-boundary risk, because runtime execution now depends on remote content and can unexpectedly perform network access in environments that may assume local-only processing.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code silently performs outbound network retrieval of model artifacts without explicit user confirmation or a clear policy gate. In restricted or privacy-sensitive deployments, this can violate expectations, leak metadata about usage, and import unreviewed dependencies at runtime.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal