ClawHub

Strategy Workflow

Security checks across malware telemetry and agentic risk

Overview

This trading backtesting skill is mostly documentation, but it asks agents to run persistent autonomous watchdogs, kill and relaunch workers, use root SSH on remote servers, and back up results to cloud destinations without strong user-control boundaries.

Install only if you intend to use a high-authority operations runbook, not just a trading research guide. Require explicit approval before any Bash execution, SSH/SCP, cloud setup, startup hook, watchdog launch, worker kill/relaunch, private documentation ingest, or backup/export; prefer isolated machines or disposable cloud instances and review every referenced script before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill embeds broad autonomous control-plane behavior—state reconciliation, self-healing loops, process inspection, watchdog repair, relaunch logic, and persistent monitoring—that goes well beyond a backtesting workflow. In an agent setting, these instructions can cause uncontrolled local process management and repeated system changes without explicit user approval, increasing the risk of destructive or runaway behavior.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The workflow introduces knowledge-plane readiness checks, database/service dependencies, and optional vendor/private documentation ingest that are unrelated to core backtesting. This expands the agent's operational scope into data ingestion and external system coordination, which increases attack surface and can lead to unauthorized access, data exposure, or unexpected behavior if those subsystems are available.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill documents remote administration actions such as SSH/SCP file transfer and remote execution on a server, which is outside the declared scope of a local strategy optimization workflow. If followed by an agent, these instructions could modify remote systems, deploy code, or run fixes on external infrastructure without adequate review, causing security and operational risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill materially expands from strategy generation/backtesting into remote server provisioning, SSH/API access, remote desktop setup, and backup operations. That broadening increases the chance an agent using this skill will perform infrastructure or data-movement actions beyond the user's expected scope, which can expose credentials, modify systems, or exfiltrate data.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documented workflow introduces remote infrastructure administration capabilities that are not justified by the stated purpose of a strategy-workflow skill. In agent contexts, hidden or weakly scoped admin behavior is risky because it can normalize privileged actions such as server access, startup script execution, and API usage without clear user intent or safety boundaries.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to run persistent watchdog processes and perform remote SSH/SCP operations on external hosts, but it does not clearly warn that these actions can modify remote systems, consume resources continuously, or leave long-running processes active. In an agent-skill context, this is risky because an automated agent may execute the commands with elevated trust, causing unintended remote changes, cloud spend, or persistence without explicit user confirmation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The markdown explicitly directs autonomous kill/relaunch behavior and immediate executable local action without a clear warning, consent boundary, or safety checkpoint. In practice, that can terminate legitimate processes, create relaunch loops, and let an agent take impactful system actions that a user may not expect from a backtesting skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The markdown directs setup of remote server access and SSH/API access without warnings about secrets, host trust, privilege boundaries, billing risk, or system-impacting actions. In an agent-assisted environment, that omission is dangerous because it can lead users or downstream automation to paste credentials, run startup scripts, or connect to infrastructure without informed consent or safeguards.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The request to back up results to a local machine and cloud omits any warning about what data may be transferred, where it will be stored, and whether it contains sensitive strategy artifacts, credentials, logs, or proprietary datasets. This can result in unintended disclosure or persistence of sensitive trading research and environment information.

Hidden Instructions

High
Category
Prompt Injection
Content
└── phase0_top500.json   # Phase 0 prescreening results
```

<!-- AUTO-WORKFLOW-NOTES:START -->
## Auto Workflow Notes (Maintained By Swarm)
- Updated UTC: `2026-02-12T09:42:52.947228+00:00`
- Run ID: `bt-20260211_233304Z`
Confidence
85% confidence
Finding
<!-- AUTO-WORKFLOW-NOTES:START --> ## Auto Workflow Notes (Maintained By Swarm) - Updated UTC: `2026-02-12T09:42:52.947228+00:00` - Run ID: `bt-20260211_233304Z` - Stage: `unknown` - Hardware snapshot

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal