ClawHub

Smc Trading Signal

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed trading-signal monitor with some code-quality and data-integrity risks, but no evidence of theft, destructive behavior, hidden credential use, or automatic trading.

Install only if you are comfortable running a local Python market-monitoring script that contacts public data providers and can be scheduled hourly. Review monitor_v2.py before enabling cron, treat the signals as informational rather than financial advice, and prefer a fixed version that removes exec(), enables TLS verification, and accurately documents supported markets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

exec() call detected

High
Category
Dangerous Code Execution
Content
v2_script = Path(__file__).parent / "monitor_v2.py"
if v2_script.exists():
    with open(v2_script, "r", encoding="utf-8") as f:
        exec(f.read())
else:
    print("错误:monitor_v2.py 不存在")
    sys.exit(1)
Confidence
99% confidence
Finding
exec(f.read())

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill metadata declares no permissions, yet the documented behavior and referenced scripts imply file I/O, scheduled execution, and external data fetching. This is dangerous because users and hosting platforms cannot accurately assess or constrain what the skill can access, increasing the risk of over-privileged execution and unnoticed data/network activity.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose does not fully disclose important runtime behaviors: external network access, narrower-than-claimed asset support, and especially dynamic execution via exec of another script. Hidden dynamic execution materially raises risk because it can conceal additional behavior from review, and undisclosed outbound connections expand the attack surface and data exposure profile.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file presents itself as the core monitor script but immediately delegates execution to another file via exec(), obscuring the real code path. This misdirection reduces auditability and can hide malicious or risky behavior from reviewers and users. In security terms, concealment of the true execution target is a meaningful risk amplifier.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Dynamically executing another local script file is not required for generating trading signals and creates a code-execution primitive. Any compromise of the referenced file or its directory results in arbitrary code execution, which is especially dangerous in an agent environment that may have filesystem, network, or credential access. The skill context does not justify this capability, so it is more suspicious, not less.

Missing User Warnings

High
Confidence
99% confidence
Finding
Disabling TLS certificate verification allows a man-in-the-middle attacker to intercept and modify market data returned by the Sina endpoint. In this trading-signal context, tampered price data can directly influence generated signals, stop-loss/take-profit levels, and saved outputs, making the issue more dangerous than in a non-decision-making script.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal