ClawHub

Trading Signals

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but its default email alerting can send trading reports to a fixed external address using a local Resend credential file without a clear opt-in boundary.

Review before installing. Only use this if you are comfortable with it reading a local Resend API credential and sending trading signal reports through Resend. Change or remove the default email recipient before running it, avoid using continuous monitoring unless you explicitly want recurring checks, and consider disabling email alerts until the skill documents consent, recipients, credential handling, and stored state clearly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises operational capabilities that imply environment access, but no permissions are declared. This creates a transparency and least-privilege problem: reviewers and users cannot accurately assess what sensitive data or runtime capabilities the skill may access, increasing the chance of unexpected secret use or privilege creep.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior materially differs from the actual behavior: the skill can send outbound emails, read local credentials, and persist state, none of which are clearly disclosed in the main description. Hidden outbound communication and secret/file access are dangerous because they expand the trust boundary and can lead to data leakage, spam, or unauthorized automation under the guise of simple market analysis.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The configuration includes outbound email alerting, which goes beyond a passive trading-signal reference list and creates a data-exfiltration or unauthorized notification channel. In an agent skill context, even a simple recipient address can enable unreviewed external communications, spam, leakage of trading activity, or covert signaling if the skill uses alerts automatically.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This file adds a generic outbound email capability to a trading-signals skill, which materially expands the skill's ability to exfiltrate data or contact third parties. Even if intended for reporting, the capability is outside the core market-analysis function and increases risk because it can transmit user or system-derived content off-device.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code reads API credentials directly from the user's home directory (~/.config/resend/credentials.json), accessing a sensitive local secret not obviously required for generating trading signals. In this skill context, that makes the behavior more dangerous because the credential access is unrelated to technical analysis and enables unauthorized outbound communication using the user's account.

Vague Triggers

Medium
Confidence
76% confidence
Finding
An overly broad trigger description can cause the skill to activate for generic finance or analysis requests that do not clearly ask for this tool. Overbroad invocation increases the chance of unintended tool use, which is especially risky here because the skill also supports monitoring and alerting behaviors beyond simple one-off analysis.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill mentions email notifications and continuous monitoring but does not clearly warn that it may generate automated outbound alerts or make ongoing operational changes. Users may believe they are requesting a passive analysis when they are actually enabling recurring actions, which can create privacy, abuse, and consent issues.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The function performs an HTTPS POST to a third-party email API and transmits message content plus an authorization bearer token without any built-in disclosure, approval flow, or user confirmation. In an agent skill, silent external transmission is risky because generated reports or embedded data could be sent off-platform without the user's awareness.

Missing User Warnings

Low
Confidence
84% confidence
Finding
Accessing a sensitive credential file without any explanatory disclosure is a transparency and consent problem, especially in a skill whose stated purpose is market analysis rather than account integration. While the file read alone is not exfiltration, it normalizes hidden secret access and increases the chance of misuse or user surprise.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal