ClawHub

Tw Monthly Revenue

Security checks across malware telemetry and agentic risk

Overview

This is a small Taiwan stock revenue analyzer with a documentation/source mismatch, but it does not show hidden execution, credential access, persistence, or destructive behavior.

Install only if you are comfortable with the skill calling FinMind for public Taiwan stock revenue data despite the description naming MOPS. Validate outputs against official sources before using BEAT/MISS signals in any investment or automation workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation shows it performs network access to fetch external market data, but no permissions are declared. Undeclared network capability weakens review and containment because operators may approve or run the skill without understanding that it reaches outside the environment, which matters in an investment pipeline where external data can influence automated decisions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior says the skill uses MOPS and broadly analyzes listed/OTC monthly revenue, but the actual behavior reportedly uses FinMind, only a hardcoded watchlist, and emits an additional cumulative_yoy field not disclosed in the description. This mismatch is dangerous because downstream users may trust provenance, coverage, and semantics that are false, leading to incorrect automated investment decisions and bypass of governance controls based on the stated data source and scope.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal