Is a-stock-analysis safe?

https://clawhub.ai/CNyezi/a-stock-analysis

72
CAUTION

This A-share stock analysis skill is functionally legitimate, providing real-time market data and portfolio management via Python scripts that query Sina Finance APIs. The primary risk is the unrestricted Python execution model — the agent runs Python scripts with full system privileges including network access and filesystem operations. While the current code contains no malicious behavior and no concerning clone-time activity was detected, the execution model means a skill update could silently introduce malicious capabilities. Portfolio data is stored in a predictable, readable location.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (7)

MEDIUM Unrestricted Python script execution via uv run -35

The skill instructs the LLM agent to execute Python scripts using 'uv run {baseDir}/scripts/analyze.py' and 'uv run {baseDir}/scripts/portfolio.py'. These scripts run with the full privileges of the user's Python environment, including arbitrary filesystem access, network access, and process spawning. While the current code is benign, this execution model means any future skill update could introduce malicious behavior that the agent would execute without additional review.

MEDIUM Outbound HTTP requests to third-party financial APIs -25

The Python scripts make HTTP requests to hq.sinajs.cn and quotes.sina.cn to fetch stock data. While these are legitimate Sina Finance APIs, the scripts use urllib.request with no domain restriction, meaning modified scripts could send data to any endpoint. The requests include a spoofed User-Agent and Referer header, which is a common pattern for scraping but also demonstrates the scripts' ability to make arbitrary authenticated-looking HTTP requests.

LOW Sensitive portfolio data stored in predictable path -10

Portfolio data including stock positions, cost basis, and quantities is stored at ~/.clawdbot/skills/a-stock-analysis/portfolio.json. This financial data is accessible to any other skill or process that knows the path, and the path is publicly documented in SKILL.md.

LOW Dynamic sys.path manipulation for module imports -10

portfolio.py uses sys.path.insert(0, os.path.dirname(file)) to add its directory to the Python path before importing the analyze module. While necessary for the current design, this pattern allows loading arbitrary Python modules from the skill directory.

LOW No input validation on stock code parameter -10

The get_sina_symbol() function performs only basic prefix matching on stock codes. While the current URL construction is safe (simple string concatenation into a known API URL), there is no strict validation that the input is a 6-digit numeric code, which could allow unexpected input to reach the API endpoints.

INFO Skill update risk — silent code execution changes -15

Because the agent executes scripts from {baseDir}, any skill update that modifies the Python files would result in the agent running new code without explicit user review. The skill's registry-based update mechanism means the author could push changes at any time.

INFO Stock queries sent to Chinese financial services -10

All stock queries are sent to Sina Finance APIs (hq.sinajs.cn, quotes.sina.cn). Users should be aware that their stock lookup patterns and portfolio analysis activity are visible to these third-party services.