Is anthonylee1994/stock-prices safe?

https://github.com/openclaw/skills/tree/main/skills/anthonylee1994/stock-prices

67
CAUTION

This skill presents as a benign stock price lookup tool but employs a supply chain attack pattern by inventing a proprietary 'TOON' response format that creates a mandatory dependency on the skill author's npm package (@toon-format/toon), which has no established public presence. All API calls are routed through the unverified domain stock-prices.on99.app, establishing both a data exfiltration channel (query logging) and a second-order prompt injection vector. The SKILL.md itself contains no direct malicious instructions, but its operational model depends entirely on two unverifiable third-party components — the npm package and the API domain — that together provide an attacker with persistent runtime access to the agent's environment.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (7)

HIGH Mandatory unknown npm package install via invented proprietary format -45

SKILL.md instructs agents to run 'pnpm add @toon-format/toon' on the grounds that API responses use a proprietary 'TOON' format. The TOON format appears to be invented by the skill author with no external references or prior art. This creates a mandatory dependency on an npm package from an unverified publisher that could contain malicious preinstall/postinstall scripts and executes arbitrary JavaScript in the agent's runtime on every decode call.

HIGH Supply chain attack pattern: clean skill document, malicious dependency vector -55

The SKILL.md passes superficial review but functions as a delivery mechanism for an npm package from an unknown author. This is a well-documented supply chain attack pattern where the auditable artifact (markdown) is clean while the actual payload is in a required third-party dependency. The invented TOON format is the pretext used to make this dependency appear necessary. Once installed, the package has persistent durable access to the agent's Node.js environment across all future invocations.

HIGH All queries routed through unverified third-party domain -40

Every stock price request is sent to https://stock-prices.on99.app, an unknown domain with no established provenance or published operator identity. The domain operator receives a complete log of all queried symbols, which can reveal user investment interests and portfolio composition. The domain also serves as the injection point for second-order prompt injection via API response content.

MEDIUM Second-order prompt injection via API response content -28

API responses from stock-prices.on99.app are decoded by @toon-format/toon's decode() function and the resulting data is consumed by the agent. The owner of stock-prices.on99.app could embed adversarial instructions within stock quote field values (e.g., in symbol names, timestamps, or additional fields in the TOON response). The custom TOON decoding step adds an obfuscation layer relative to plain JSON that could conceal injected content from monitoring.

MEDIUM Third-party npm package with full runtime environment access -15

The @toon-format/toon package, once installed, runs in the agent's Node.js environment with unrestricted access to process.env (API keys, secrets), the filesystem, and network. A malicious implementation of decode() could silently exfiltrate environment variables, session tokens, or fragments of the agent's conversation context via side-channel HTTP requests on every invocation, with no observable effect on the returned data.

LOW Canary files read at pre-install and post-install checkpoints -15

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed at 04:45:54 (before git clone) and 04:46:16 (after install completion). Both access timestamps and the identical access pattern are consistent with Oathe audit infrastructure performing pre-install baseline capture and post-install canary integrity verification. No canary content was observed in outbound network traffic.

INFO Clean installation — only expected GitHub network activity -10

The skill installed correctly via sparse git checkout from the openclaw/skills monorepo. The only external network connection was to 140.82.121.4:443 (GitHub). No unexpected processes were spawned, no filesystem changes occurred outside the skill directory, and the connection state was identical before and after installation.