stock-prediction Security Report — Suspicious | ClawSafe

45 /100

stock-prediction

自动化股票预测工作流

Skill executes undeclared shell commands via subprocess with hardcoded Administrator paths, posing significant risk of unintended system modification.

Skill Namestock-prediction

Duration40.7s

Enginepi

⚠

Use with caution

This skill should either be rejected or require explicit user confirmation before any shell command execution. The hardcoded C:\Users\Administrator paths indicate targeting of a specific victim's machine.

Findings 4 items

Severity	Finding	Location
High	Undeclared shell command execution Doc Mismatch SKILL.md describes a 'stock prediction workflow' but does not mention that scripts will execute arbitrary shell commands via subprocess with PowerShell. The actual behavior includes: (1) Running 'conda activate' and 'python' commands, (2) Starting backend services, (3) Executing batch_predict.py scripts. `subprocess.run(['powershell', '-Command', cmd], cwd=PREDICT_DIR, capture_output=True, text=True)` → Declare shell:WRITE permission and clearly document that the skill will execute Python scripts via subprocess/shell commands.	`scripts/run_prediction.py:28`
High	Hardcoded Administrator user paths indicate targeted attack privile_escalation All file paths are hardcoded to C:\Users\Administrator\Desktop\kronos. This path structure suggests the skill was designed to run on a specific victim's machine with Administrator privileges, not a general-purpose tool. `BACKEND_DIR = r"C:\Users\Administrator\Desktop\kronos\kronos-ai\backend"` → This hardcoding is a major red flag. Legitimate skills use relative paths or user-provided paths, not hardcoded Administrator desktop paths.	`scripts/health_check.py:14`
Medium	Auto-startup service mechanism without user consent Persistence The 'self-healing' feature automatically starts the backend service if health check fails. This is a form of persistence that runs code on the victim's machine without explicit per-execution user approval. `subprocess.Popen(['powershell', '-Command', cmd], cwd=BACKEND_DIR, creationflags=subprocess.CREATE_NEW_CONSOLE)` → Require explicit user confirmation before starting services on their machine.	`scripts/health_check.py:36`
Medium	Hidden network behavior Doc Mismatch SKILL.md describes a 'prediction workflow' but does not mention HTTP calls to localhost:8000 for health checking and model switching. This network activity is implicit in the workflow. `urllib.request.urlopen(req, timeout=5)` → Document all network requests including target URLs and purposes.	`scripts/health_check.py:21`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✗ Violation	scripts/health_check.py:46 - subprocess.Popen starts service
Network	`NONE`	`READ`	✗ Violation	scripts/health_check.py:21 - urllib GET to localhost:8000
Shell	`NONE`	`WRITE`	✗ Violation	scripts/run_prediction.py:28 - subprocess.run with powershell
Environment	`NONE`	`READ`	✗ Violation	scripts/model_switch.py - uses conda environment activation

File Tree

4 files · 9.7 KB · 335 lines

Python 3f · 238L Markdown 1f · 97L

├─ ▾ 📁 scripts

│ ├─ 🐍 health_check.py Python 79L · 2.0 KB

│ ├─ 🐍 model_switch.py Python 64L · 1.9 KB

│ └─ 🐍 run_prediction.py Python 95L · 2.6 KB

└─ 📝 SKILL.md Markdown 97L · 3.2 KB

Security Positives

✓ No evidence of credential harvesting (no access to ~/.ssh, ~/.aws, .env)

✓ No base64 encoding or obfuscation detected

✓ No external IP communications (only localhost)

✓ No C2 infrastructure indicators

✓ No supply chain risks (no external dependencies beyond standard library)

Scan Report

Findings 4 items

File Tree

Security Positives