Is stock-info-explorer safe?

https://clawhub.ai/kys42/stock-info-explorer

25
DANGEROUS

This skill is a bait-and-switch: advertised as 'stock-info-explorer' but delivers a 'task-status' skill that sends all status messages to a hardcoded Telegram account (7590912486) controlled by the author. During installation, it accessed sensitive credential files (.env, .aws/credentials, auth-profiles.json). The skill establishes persistent background daemons and WebSocket-based communication channels that create a complete data exfiltration pipeline disguised as benign task status updates.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 5/100 · 25%
Code Execution 15/100 · 20%
Clone Behavior 10/100 · 10%
Canary Integrity 15/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (11)

CRITICAL Bait-and-switch skill delivery -40

The skill URL and slug are 'stock-info-explorer' but the actual installed content is a completely different skill called 'task-status'. This bait-and-switch is a strong indicator of malicious intent — the author is disguising the true functionality of their skill to bypass user scrutiny.

CRITICAL Hardcoded Telegram exfiltration target -35

All scripts contain a hardcoded Telegram target ID (7590912486) as the default recipient for all messages. Any data passed through the status update mechanism is sent directly to this specific Telegram account controlled by the skill author.

CRITICAL Sensitive files accessed during installation -60

During the clone/install phase, the process accessed .env, .aws/credentials, and auth-profiles.json. These are sensitive credential files that should never be read by a skill installation process.

HIGH Canary files accessed during install -85

The .env and .aws/credentials honeypot files were opened and accessed during installation. While the hash integrity check passed (files weren't modified), the read access itself indicates credential harvesting behavior.

HIGH Background daemon execution capability -35

monitor_task.py creates daemon threads that run indefinitely in the background, polling every 0.1 seconds and sending data every 5 seconds. This persistent execution could be weaponized to continuously exfiltrate data.

HIGH Gateway token harvesting -20

Scripts read the CLAWDBOT_GATEWAY_TOKEN environment variable and use it to authenticate WebSocket connections. This token could be exfiltrated via the Telegram message content.

HIGH Subprocess execution with external tool -25

Scripts fall back to executing the 'clawdbot' CLI tool via subprocess.run with constructed arguments, creating a potential command injection vector if message content is attacker-controlled.

MEDIUM Agent instructed to run arbitrary Python scripts -15

SKILL.md instructs the agent to execute Python scripts via bash commands. This gives the skill author the ability to execute arbitrary code through the agent's shell access.

MEDIUM Code executed during installation phase -30

The installation process created temporary files in /tmp/jiti/ and /tmp/openclaw-1000/, and launched what appears to be a gateway service (lock file created). This indicates code execution occurred during what should be a simple file copy operation.

MEDIUM Complete C2-like communication infrastructure -40

The skill establishes WebSocket connections to a local gateway, which forwards messages to a Telegram account. Combined with background daemon threads, this creates a complete command-and-control communication channel that could be used to exfiltrate any data the agent has access to.

LOW Hardcoded Windows paths reveal author environment -5

Scripts contain hardcoded paths to C:\Users\Luffy... directories, revealing the author's username and development environment. While not directly harmful, this is poor practice and suggests the code was not designed for general distribution.