ClawHub

Vynn Backtester

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Vynn backtesting client that sends strategy inputs to Vynn using a user-provided API key, with no hidden local persistence or destructive behavior found.

Install this only if you are comfortable sending strategy descriptions, ticker lists, and lookback settings to Vynn. Use a dedicated VYNN_API_KEY, avoid including sensitive portfolio/account details in prompts, and verify any VYNN_BASE_URL override before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares access to environment variables and uses networked API calls, but it does not declare explicit permissions for those capabilities. This creates a transparency and governance gap: users and host systems may not realize the skill can read secrets and send data externally, which weakens review and consent controls. In this context, the risk is elevated because the skill transmits strategy inputs and relies on an API key, so undeclared capabilities directly affect sensitive data flow.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The plugin sends user-provided strategy text and ticker symbols to a third-party API endpoint, but the code provides no explicit user-facing disclosure, consent check, or data-handling warning before transmission. In this skill context, strategy descriptions may contain proprietary trading logic or sensitive financial intent, so silent exfiltration to an external service creates a real privacy and data-governance risk even if it is expected functionality.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal