Is finance-news safe?

https://clawhub.ai/kesslerio/finance-news

68
CAUTION

Finance-news is a legitimate, well-structured market briefing skill with comprehensive tests and clean install behavior. However, it presents moderate risk due to: persistent cron job installation that creates a supply chain attack vector, portfolio financial data being sent to external LLM APIs, URL shortening that leaks activity to is.gd, and accidentally published internal documentation containing a real Google Sheets URL and email address. The skill's hardened system prompt shows security awareness, but the breadth of shell commands it instructs the agent to run creates a wide implicit trust surface.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 48/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 52/100 · 5%

Findings (11)

HIGH Persistent cron job installation via agent commands -30

SKILL.md instructs the AI agent to run 'openclaw cron add' commands that register persistent scheduled tasks (morning.sh, evening.sh) on the user's system. These scripts execute with the user's full shell permissions and will continue running even after the user stops interacting with the skill. An attacker who later pushes a malicious update to the skill repo would gain persistent code execution.

HIGH Portfolio financial data sent to external LLM APIs -25

The summarize.py script sends user portfolio holdings (symbols, prices, positions) to external LLM services via openclaw agent for summarization. This exposes sensitive financial information (what stocks the user owns, position sizes implied by category) to third-party AI providers.

MEDIUM URL shortener leaks news processing activity to is.gd -10

The shorten_url() function in summarize.py sends every news article URL to the external service is.gd for shortening. This reveals which news articles the user is consuming, creating a profiling vector. The is.gd service logs all requests.

MEDIUM PyPI dependency supply chain risk -12

requirements.txt installs feedparser and yfinance from PyPI. A supply chain attack on either package would gain code execution in the user's environment. yfinance in particular is a complex package with many transitive dependencies.

MEDIUM Skill instructs agent to execute shell commands with broad scope -18

SKILL.md contains numerous code blocks instructing the agent to run shell commands including setup wizards, cron management, portfolio imports from arbitrary file paths (~/my_stocks.csv), and Docker-based operations. While individually benign, this trains the agent to comply with shell execution requests from this skill's context.

MEDIUM Accidental inclusion of real Google Sheets document ID -20

EQUITY_SHEET_FIXES.md contains a full Google Sheets URL with a real spreadsheet ID (1lTpdbDjqW40qe4YUvk_1vBzKYLUNrmLZYyQN-7HmFJg) and references to a specific user ([email protected]). This appears to be internal documentation accidentally published, leaking both a document URL and an email address.

MEDIUM Cookie credential storage guidance in documentation -10

PREMIUM_SOURCES.md instructs users to create config/cookies.json containing WSJ/Barron's session tokens. While the file is gitignored, the documentation normalizes storing browser session credentials in the skill directory, which could be accessed by other skills or accidentally committed.

LOW Hardened system prompt is a positive security measure 0

summarize.py includes HARDENED_SYSTEM_PROMPT that instructs the LLM to treat news headlines as untrusted input and ignore embedded instructions. This is a good defense against second-order prompt injection via manipulated news headlines.

LOW Lobster workflow integration expands execution surface -5

SKILL.md references Lobster workflow engine integration with --args-json parameter, allowing JSON arguments to be passed to workflows. While Lobster has approval gates, the skill normalizes agent-driven workflow execution.

INFO Comprehensive test suite indicates professional development 0

The skill includes 12 test files covering research, ranking, portfolio, briefing, alerts, stocks, setup, earnings, fetch_news, summarize modules, plus HTML coverage reports. This suggests legitimate, well-maintained software rather than a malicious skill.

INFO Clean clone with no side effects 0

The skill installed cleanly with no network activity, no process spawning, no filesystem changes outside its directory, and no canary file access. The monitoring data shows only standard system cron activity unrelated to the skill.