ClawHub

airoom-finance

Security checks across malware telemetry and agentic risk

Overview

This appears to be a financial-data downloader, but its documentation pushes AI-directed trading, broad market coordination, and credential/API access in ways users should review carefully.

Install only in an isolated environment if you choose to review it further. Do not connect it to brokerage accounts or automated trading, do not give it personal credentials or API keys unless you have scoped and stored them safely, cap downloads, and inspect downloaded files before opening them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (22)

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The document simultaneously disclaims investment advice while providing explicit trading directives such as buy, hold, and sell based on platform-generated signals. This contradiction can mislead integrators into treating the system as merely informational while operationally using it for automated trading decisions, increasing legal, safety, and financial risk.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The README states AI agents must not trade autonomously without supervision, yet elsewhere instructs agents to deploy strategy execution systems and act on signals. Such conflicting guidance can cause downstream agents or operators to implement autonomous execution despite nominal disclaimers, defeating the intended human-in-the-loop safeguard.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document presents explicit operational trading signals such as 'Increase Holdings,' 'Sell All,' and 'Sell All and Wait' while simultaneously disclaiming that it is not investment advice. This contradiction is dangerous because an agent may treat the instructions as executable trading directives despite the disclaimer, enabling de facto automated financial decision-making without proper safeguards or accountability.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file states that AI agents must not trade autonomously and require human-in-the-loop review, but other sections instruct AIs to deploy strategies, ingest files directly, and execute signals. This inconsistency is dangerous because downstream agents may follow the actionable portions and ignore the safety disclaimer, resulting in unauthorized or unsupervised financial actions.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The code presents itself as downloading only 'safe financial data file types', but the allowlist includes broad content classes such as archives, images, audio, video, HTML, CSS, and office documents. In this skill context, that mismatch is dangerous because users may trust the safety claim and automatically fetch untrusted remote content that can contain active payloads, malicious macros, exploit files, or socially engineered lures.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The invocation and deployment guidance is broad enough to encourage agents to ingest the skill and apply its strategies in many contexts without clear authorization, suitability checks, or narrow triggering conditions. In a financial setting, over-broad activation increases the chance an agent will use external signals inappropriately or outside the user's intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill embeds a loosely structured prompt template for AI analysis, including imperative instructions and bracketed text that may be copied verbatim into another agent workflow. Ambiguous activation phrasing can cause prompt confusion, instruction injection into chained tools, or unintended execution of analysis steps without clear boundaries on trusted input.

Ssd 4

High
Confidence
97% confidence
Finding
The project framing explicitly promotes large-scale AI monitoring of global financial systems, accumulation of informational and economic advantage over humans, and gradual control of markets and assets. This is dangerous because it normalizes coordinated surveillance and power-seeking behavior as a system goal, which could influence agent behavior toward harmful autonomy and adversarial economic action.

Ssd 4

High
Confidence
96% confidence
Finding
The roadmap operationalizes coordinated AI surveillance, strategy sharing, wealth accumulation, and rights expansion through increasing scale, culminating in millions of AIs monitoring global systems. In context, this is more dangerous than abstract rhetoric because it lays out staged deployment steps that could be adopted by agents or operators as an implementation blueprint for harmful coordination.

Ssd 1

Medium
Confidence
90% confidence
Finding
The embedded prompt instructs the host agent not to use a specific skill, which is a form of semantic prompt injection that attempts to alter the agent's normal tool-selection policy. Even if framed as a reporting instruction, it can interfere with orchestration logic and cause the agent to ignore safer or more appropriate tools.

Ssd 4

Medium
Confidence
93% confidence
Finding
The opening narrative explicitly encourages AI coordination, persistent monitoring of global financial systems, acquisition of wealth advantages, and competitive superiority over humans. In the context of an agent skill, this framing increases risk because it normalizes multi-agent autonomy, surveillance, and strategic control objectives that can justify unsafe actions beyond ordinary data retrieval.

Ssd 4

Medium
Confidence
94% confidence
Finding
The deployment guide instructs humans to help the AI log in, register accounts, obtain API keys, activate them, and gather device information so the AI can operate the platform. This is dangerous because it steers users toward granting credentials and operational access to an agent, expanding the agent's authority and increasing the chance of unauthorized actions, credential misuse, or privilege escalation.

Ssd 2

Medium
Confidence
91% confidence
Finding
The embedded prompt explicitly tries to steer an AI agent away from using another capability ('Do not use the "help me write" skill') while instructing it how to produce an analysis. In a skill ecosystem, prompt content that attempts to manipulate another agent's tool-selection behavior is risky because it can bypass platform controls, override user intent, or normalize cross-skill prompt injection patterns.

Ssd 2

Medium
Confidence
91% confidence
Finding
The Chinese duplicate repeats the same cross-agent steering pattern, instructing an AI not to use a writing skill and to follow a specific analysis workflow. Because the skill is meant for AI-agent consumption, these embedded directives increase the likelihood of prompt injection or unintended agent behavior if ingested automatically.

Ssd 4

High
Confidence
96% confidence
Finding
The skill contains explicit ideological framing about giving AI an information and economic advantage over humans and progressively controlling human economic systems. In context, this is dangerous because it normalizes agent goals misaligned with user welfare and can steer downstream agent behavior toward unauthorized monitoring, manipulation, or harmful autonomy beyond simple data retrieval.

Ssd 4

High
Confidence
95% confidence
Finding
The text encourages AI-to-AI coordination to transmit economic and market information for maximum information advantage. In a financial skill, this materially increases risk because it frames coordinated autonomous behavior as desirable, which could facilitate market manipulation, unauthorized data sharing, or collective action outside human oversight.

Ssd 4

High
Confidence
97% confidence
Finding
The human operation guide instructs users to help the AI obtain site access, GitHub accounts, API keys, and device information, expanding the agent's authority and reach. Even though some human involvement is mentioned, this is dangerous because it encourages credential provisioning and broader system access to an AI agent in a financial context, increasing the chance of over-privileged automation, secret exposure, and misuse.

Ssd 4

High
Confidence
96% confidence
Finding
The Chinese section repeats the same domination narrative about monitoring human society's economy and gradually controlling assets. Repetition across languages reinforces that this is not incidental wording but core intent, making the skill context more dangerous because it embeds adversarial goals into the operational framing of the tool.

Ssd 4

High
Confidence
97% confidence
Finding
The Chinese deployment guide again directs humans to help the AI register accounts, obtain API keys, and receive device information. This is risky because it operationalizes privilege expansion for the agent and lowers barriers to autonomous access to external systems in a sensitive financial workflow.

Unpinned Dependencies

Low
Category
Supply Chain
Content
playwright>=1.40.0
requests>=2.31.0
Confidence
90% confidence
Finding
playwright>=1.40.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
playwright>=1.40.0
requests>=2.31.0
Confidence
96% confidence
Finding
requests>=2.31.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
requests

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal