ClawHub

PythonGO

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PythonGO documentation helper, but its bundled trading, installer, and debugging examples should be followed carefully.

Use this skill as a PythonGO reference, not as a safety-reviewed trading system. Review generated strategy code before running it, test in simulation or paper mode first, do not hardcode real credentials, avoid untrusted downloads, and do not bypass security warnings unless you have verified the installer source and trust the file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to read local code/docs and reference an external documentation site, while the static analyzer also inferred broader capabilities such as file access, environment access, and network use. Because no permissions are declared, operators and downstream enforcement layers may underestimate what the skill can access or trigger, which creates a governance and containment gap if the bundled implementation or surrounding runtime actually exposes those capabilities.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The stated purpose is a Q&A/documentation skill, but the referenced behavior includes operational trading actions, market-data subscription, downloads, backtesting, GUI execution, and automated strategy execution. That mismatch is dangerous because users or policy systems may invoke the skill expecting passive analysis while it can assist with or expose workflows that materially affect trading systems, external services, or local execution surfaces.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file adds a remote debugging capability that is unrelated to the stated purpose of a documentation/Q&A skill. Even though it binds only to 127.0.0.1, opening a debug listener can expose powerful code-execution and process-inspection functionality to any local actor or forwarded connection, which expands the attack surface without clear justification in this context.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Starting a debugpy listener is a sensitive capability because a debugger can inspect memory, alter execution, and potentially execute code in the target process. In a skill intended for answering questions about code and docs, this capability is unjustified and therefore more dangerous, especially if an operator enables it in a shared or production environment.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
`import_strategy()` loads a Python file from an arbitrary path and executes it via `spec.loader.exec_module(module)`, which gives the file full code-execution capability at import time. In the context of this skill, whose stated purpose is answering questions about code/docs rather than running user-provided strategies, this is especially dangerous because it expands the attack surface to arbitrary local code execution if an attacker can influence the path or supplied strategy file.

Context-Inappropriate Capability

Low
Confidence
98% confidence
Finding
The manifest includes absolute Windows paths pointing to a specific developer workstation, including username and local directory structure. This leaks unnecessary environmental details that can aid fingerprinting, social engineering, or targeted follow-on attacks, even though it does not by itself enable code execution.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The indexed JSON attaches parameter and return tables to the wrong APIs, which can cause downstream agents or users to call the wrong function signatures or mis-handle returned data. In a skill whose purpose is to answer implementation and usage questions from bundled indexed docs, this creates a real integrity problem that can produce unsafe automation, bad trading logic, or abusive API usage due to incorrect limits/arguments.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
Additional table misassignments further corrupt the semantic mapping between APIs and their documented contracts, so consumers of the indexed file may receive systematically wrong guidance. Because this skill is explicitly designed to answer questions from docs_indexed, the bad index directly increases the chance of incorrect code generation or operational misuse.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The indexed tables appear misaligned with the actual function sections, causing parameters and return values to be attributed to the wrong APIs. In a trading-related module, this can mislead downstream agents or users into calling sensitive functions incorrectly, potentially triggering unintended order placement, cancellation, or misuse of account data.

Natural-Language Policy Violations

Low
Confidence
95% confidence
Finding
The skill metadata hard-codes a Chinese short description, which can bias or force the interaction language without explicit user preference. This is a low-severity policy and usability issue because it may cause unintended language switching, reduce clarity for users expecting another language, and make downstream responses less aligned with user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The strategy automatically cancels existing orders and places new buy/sell orders directly from moving-average crossover signals without any explicit user confirmation, safety interlock, risk limits, or user-facing disclosure in this code path. In a trading-strategy demo this behavior may be expected, but it is still operationally risky because a user could run it on a live account and trigger unintended trades, repeated order churn, or losses from misconfiguration or noisy signals.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The function downloads attacker-controlled content from a URL and extracts every ZIP entry directly to the target directory without validating entry paths, archive size, or file types. This creates a real archive-extraction risk: a crafted ZIP can perform path traversal (Zip Slip) to write outside the intended directory, and may also cause resource exhaustion via oversized or highly compressed payloads.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to place `access_key` and `access_secret` directly into source code examples, without any warning against hardcoding or guidance on safer secret handling. This can lead users to commit credentials into repositories, leak them through screenshots or logs, and normalize insecure secret management practices in real trading or backtesting environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to uninstall Python and manually delete Python-related directories under %localappdata%\Programs\Python without any warning, backup guidance, or scope limitation. This can cause accidental deletion of active Python installations, virtual environments, or other locally installed tooling, leading to data loss and workstation disruption.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The documentation describes live trading actions such as send_order and cancel_order without warning that these operations can place or modify real market orders with financial consequences. In an agent skill context, omission of such warnings increases the chance that a user or automated system treats the APIs as harmless examples rather than side-effecting trading functions.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The account and position retrieval APIs expose investor identifiers, balances, and holdings but do not include any sensitivity or privacy warning. In a skill used to answer implementation questions, that omission can normalize unrestricted handling, logging, or sharing of financial data by users or agents.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The documentation explicitly tells users that if 360 security software warns, they should 'allow all actions' for the program. In a security-sensitive installation context, instructing users to bypass endpoint protection without validation is highly dangerous because it normalizes overriding defenses that may be detecting genuinely malicious or tampered installer behavior.

Missing User Warnings

High
Confidence
99% confidence
Finding
The documentation explicitly tells users that if 360 security software warns, they should 'allow all actions' for the program. In a security-sensitive installation context, instructing users to bypass endpoint protection without validation is highly dangerous because it normalizes overriding defenses that may be detecting genuinely malicious or tampered installer behavior.

Vague Triggers

Medium
Confidence
79% confidence
Finding
This tutorial normalizes a strategy pattern that places a real order immediately on startup, but it does not clearly bound the behavior with safety constraints, simulation-only guidance, or examples of when not to use it. In a trading skill context, omission of such guardrails can lead users to adapt and run the example in live environments, causing unintended trades.

Missing User Warnings

High
Confidence
95% confidence
Finding
The documented `on_start()` implementation submits an order as soon as the strategy starts, with no confirmation, interlock, or prominent warning about financial consequences. In an automated trading framework, this can directly trigger unintended market activity, including accidental live orders, losses, or compliance issues if copied by inexperienced users.

Missing User Warnings

High
Confidence
96% confidence
Finding
The complete-code section ends by encouraging users to load and try the strategy, but the included code immediately sends an order on start and the text does not visibly restate that consequence. This increases the likelihood of copy-paste deployment and accidental execution in a live trading environment, making the tutorial more dangerous in context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly instructs users to place `access_key` and `access_secret` directly in source code, but it does not warn about secret exposure risks or recommend safer storage mechanisms. This can lead to accidental credential leakage through source control, shared example files, screenshots, logs, or copied snippets, especially because this is setup guidance that users are likely to follow verbatim.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The tutorial explicitly teaches a strategy that immediately places an order as soon as it starts, but it does not prominently warn readers about the real-world consequences of connecting to a live trading environment. In a trading skill, this omission is dangerous because users may copy the example verbatim and unintentionally submit real orders, causing financial loss or unintended market activity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The sample code invokes send_order() directly inside on_start(), meaning the act of launching the strategy is sufficient to submit an order. Without adjacent safeguards or warnings, this creates a copy-paste hazard in which inexperienced users may deploy the example and trigger unintended trades immediately.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal