ClawHub

Query real-time and historical financial data across equities and crypto prices, market moves, metrics, and trends for analysis, alerts, and reporting

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward market-data skill that uses an AIsa API key to fetch stock and crypto data, with no evidence of hidden execution, persistence, or destructive behavior.

Install only if you trust AIsa with your API key and market-data queries. Use a dedicated API key when possible, monitor billing or credit usage, and avoid sending proprietary portfolio, strategy, or regulated trading information unless that sharing is approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares required binaries and an API-key environment variable, and its examples clearly perform outbound network requests, but it does not declare permissions for network and environment access. This creates a transparency and policy gap: users and platforms may not realize the skill can read credentials and transmit prompts/query parameters to a third-party service.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The README markets the skill as market data access but does not prominently warn that requested tickers, screening filters, and analysis queries are sent to an external API provider. While expected for this type of integration, the missing disclosure can cause unintentional sharing of potentially sensitive investment research or watchlist information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal