Oathe Security Badge

Is buxibuxi/stock-copilot-pro safe?

https://clawhub.ai/buxibuxi/stock-copilot-pro

94
SAFE

This appears to be a legitimate stock analysis skill that provides comprehensive financial analysis using the QVeris API. While it contains extensive JavaScript code that requires careful review, no malicious behavior was detected during installation or in the static analysis.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

MEDIUM Extensive JavaScript Codebase -5

The skill contains a large amount of JavaScript code (40+ files) which could potentially hide malicious functionality within legitimate-looking code. While no obvious malicious patterns were detected, the complexity makes comprehensive analysis challenging.

LOW Credential File Access During Installation -10

System processes accessed sensitive credential files (.env, SSH keys, AWS credentials) during the installation session. However, this appears to be related to SSH authentication rather than the skill itself accessing these files.

INFO Legitimate API Usage Declaration 0

The skill properly declares its network requirements and limits outbound connections to qveris.ai, which is appropriate for its stock analysis functionality. The skill metadata and documentation are comprehensive and consistent.