a-stock-market
Fail
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PRIVILEGE_ESCALATION]: The README.md file contains installation instructions that require administrative privileges to create a symbolic link in a system directory, granting the script global execution capabilities.
- Evidence:
sudo ln -sf ~/.openclaw/workspace/skills/a-stock-market/a-stock.py /usr/local/bin/a-stockin README.md - [EXTERNAL_DOWNLOADS]: The skill fetches real-time stock data from Tencent Finance's official API. This is a well-known service used according to the skill's primary purpose.
- Source:
https://qt.gtimg.cn/q={symbol} - [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data from an external API and prints it to the console, creating a potential surface for indirect instruction injection.
- Ingestion points:
a-stock.py(viaurllib.request.urlopen) - Boundary markers: Absent; the data is interpolated directly into printed strings.
- Capability inventory: The skill is limited to terminal output and does not have system-write or dynamic code execution capabilities.
- Sanitization: The script parses the response using specific delimiters and converts price-related fields to float types, providing basic validation of the input data.
Recommendations
- AI detected serious security threats
Audit Metadata