ClawHub

Options Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill provides disclosed options-analysis scripts using public market data, with financial-risk and dependency-install caveats but no evidence of credential access, persistence, trading authority, or malicious behavior.

Install it in a virtual environment, pin and verify dependencies, and add the missing scipy dependency before use. Treat yfinance data and strategy recommendations as potentially incomplete or delayed, and do not rely on this skill alone for real-money options trading decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill metadata claims real-time options-chain retrieval, Greeks, IV analysis, and strategy recommendations, but this file only computes static expiration payoff profiles from user-supplied legs. In a finance-oriented skill, this mismatch can mislead users into relying on incomplete analytics for trading decisions, creating integrity and safety risk even though it is not code-execution related.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger description is extremely broad, covering generic options-related phrases such as strategy recommendations, Greeks, IV analysis, and multiple named strategies without clear exclusion criteria. This can cause the skill to activate in unintended contexts, override more appropriate skills, or process financial-analysis requests too aggressively, increasing the risk of misleading or unauthorized investment guidance.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill metadata and trigger text are written as Chinese-only user-facing content, with no indication that language should follow the user's preference. This can lead to poor routing or confusing responses for non-Chinese-speaking users, especially if the skill activates solely based on topic match rather than language compatibility.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal