ClawHub

Qveris Finance

Security checks across malware telemetry and agentic risk

Overview

This is a finance data skill that uses a QVeris API key to retrieve market information, with some scoping and documentation caveats but no artifact-backed malicious behavior.

Install only if you are comfortable providing a QVeris API key and sending finance-related prompts, tickers, and parameters to qveris.ai. Treat outputs as informational market data, not investment advice, and monitor QVeris usage or quota. The publisher should clarify that the Node helper is a fixed local API client and narrow ambiguous trigger wording, but the reviewed artifacts are coherent and purpose-aligned.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill is described as a read-only financial data assistant, but it explicitly instructs the agent to fall back to local script execution via `node {baseDir}/scripts/qveris_tool.mjs ...`. That expands the trust boundary from controlled API/tool calls to local code execution, creating risk if the script, arguments, or surrounding execution environment are tampered with or if agents treat this as permission to run commands more broadly.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The security section claims the skill does not execute arbitrary commands, but earlier instructions tell the agent to run local Node commands. This contradiction can mislead reviewers and downstream systems into trusting the skill more than warranted, while still enabling local execution paths that may expose secrets, widen attack surface, or permit unintended command usage.

Vague Triggers

Medium
Confidence
90% confidence
Finding
`auto_invoke: true` combined with broad trigger conditions such as general requests to analyze stocks or market overviews increases the chance of automatic activation without sufficiently precise user intent. In a credentialed skill, this can cause unprompted outbound requests to the vendor API, unnecessary API-key use, and accidental data sharing of user-provided tickers or prompts.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger examples for conversational analysis mode use broad phrases like '能买吗' and '怎么样', which can match casual everyday language without clear user intent to request financial analysis. In a finance skill, this can cause the agent to enter an analysis workflow unexpectedly, increasing the chance of unsolicited investment-oriented responses and misleading users about the scope or formality of the output.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The template prescribes a Chinese output style ('口语模式') without indicating that this is conditional on user language preference or opt-in. This can override user expectations, degrade transparency, and in a financial context may cause users to miss important risk disclosures or misunderstand analysis if the response language does not match their requested language.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal