ClawHub

Tearsheet Generator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local report-generation skill, but users should review its hardcoded local Python dependency and treat leverage outputs as informational only.

Install only if you intend to run local Python backtest/report workflows on trusted trade data. Before use, inspect or replace the referenced local Backtests dependency, choose an output directory you control, back up existing reports with the same strategy name, and do not treat leverage recommendations as financial advice or live exchange risk controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The example code prepends a hard-coded local directory to `sys.path`, changing Python's import resolution in a way that is unrelated to core tearsheet generation and dependent on a specific workstation path. This can cause unintended module shadowing or import of untrusted local code if that path exists or is replaced, and it encourages users to run environment-specific code with elevated trust.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The command documentation explicitly says it will create a verification JSON and update the tearsheet, but it does not warn the user that files may be modified or written as part of execution. In an agent setting, undocumented file writes can surprise users, overwrite existing artifacts, or alter analysis outputs without clear consent, which is a legitimate safety issue even if the behavior appears operational rather than malicious.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The command documentation indicates it will generate multiple output files and run a new backtest, but it does not explicitly warn users that invoking it causes local artifact creation and state changes. In an agent setting, incomplete disclosure of side effects can lead to unintended execution, overwriting files, or consuming compute resources when a user expects a read-only analysis step.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The document provides detailed leverage, liquidation, and optimization formulas that could be used to encourage or automate high-risk trading behavior without any explicit warning about the possibility of rapid capital loss. In the context of a tearsheet/reporting skill, presenting leverage recommendations and liquidation math as neutral reference material can cause users to over-trust the guidance and underestimate financial risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal