ClawHub

Trading Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed market-data analysis helper, with expected third-party data access and setup risks but no evidence of hidden, destructive, or deceptive behavior.

Install only if you trust mcporter and the listed MCP server packages. Prefer pinned package versions where possible, avoid committing or syncing shell profiles that contain API keys, and do not submit confidential watchlists or proprietary trading research unless you are comfortable sharing those queries with the configured providers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Low
Confidence
95% confidence
Finding
The README describes use of external market-data MCP servers but does not clearly warn users that ticker symbols, query parameters, and related requests will be transmitted to third-party services over the network. This is a real documentation/security-privacy gap because users may assume analysis is local when it is not, though it does not by itself indicate malicious behavior.

Missing User Warnings

Low
Confidence
97% confidence
Finding
The README instructs users to place an API key into shell profiles for persistence without cautioning about credential exposure, shell history, shared accounts, dotfile syncing, or least-privilege handling. This is a genuine security hygiene issue because it normalizes persistent secret storage without guidance, increasing risk of accidental disclosure.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill directs users to send ticker symbols and query parameters to third-party market-data services without clearly warning that requests and associated metadata will be shared with external providers. While the data involved is usually low sensitivity, the absence of disclosure can lead to unintentional exposure of user interests, trading research activity, or organization-specific watchlists to outside services.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal