ClawHub
Back to skill

Security audit

Trading Signal Analysis

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AgentPMT remote trading-analysis integration, with no executable code or hidden local behavior, but users should be careful about sending proprietary market data.

Install only if you are comfortable sending the provided candle data, symbols, strategy settings, and generated analysis to AgentPMT. For proprietary or confidential trading data, minimize inputs and set storage options such as store_charts or store_trade_log to false when downloadable artifacts are not needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill advertises broad activation/search keywords such as generic trading-analysis phrases without clear exclusion boundaries, which can cause an agent to invoke this remote skill in contexts where the user did not explicitly consent to sending data off-platform. Because the skill triggers hosted tool calls, over-broad routing increases the chance of unintended external transmission of user-supplied financial or proprietary market datasets.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes ingesting OHLCV datasets and performing analysis through AgentPMT-hosted remote tool calls, but it does not prominently warn users near the top-level description that submitted data leaves the local environment. This can lead users or agents to provide proprietary trading data, backtest datasets, or sensitive symbols/orders to a third-party endpoint without informed consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The schema shows that `full_analysis` can generate and store charts and trade logs in cloud storage by default via `store_charts: true` and `store_trade_log: true`, but the skill description does not prominently warn users about this persistence behavior. This can lead to unintended disclosure or retention of potentially sensitive trading data, symbols, timestamps, and strategy outputs if users assume the tool is purely local or ephemeral.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal