ClawHub

Trading Journal & Performance Analytics

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only trading journal skill that fits its stated purpose, but users should be careful before putting sensitive trading data into sync, backup, or integration features.

Before using this skill with real trades, confirm where journal entries, screenshots, account size, P&L, and emotion notes are stored. Treat cloud backup, sync, TradingView, calendar, and collaboration features as potentially sharing data outside your local environment. Avoid entering broker credentials, private keys, bank details, or sensitive account identifiers unless the publisher provides clear privacy, consent, retention, and deletion controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises automatic cloud backup, cross-device sync, and collaborative storage features for highly sensitive trading-journal data without warning users that trade history, account details, emotions, and strategy notes may be transmitted to third-party services. In a trading context, this can expose financially sensitive and behavioral data, creating privacy, confidentiality, and potential compliance risks if users assume the journal is local/private.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill lists TradingView sync and calendar integration as features without stating that using them may send trading records, timing, annotations, or metadata to external platforms. Because this skill handles sensitive trading activity and potentially proprietary strategies, users may unknowingly disclose personal financial behavior or operational details to third parties.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal