ClawHub

Macd

Security checks across malware telemetry and agentic risk

Overview

This MACD skill is a disclosed trading-analysis calculator and guide, but users should treat its buy/sell language as educational rather than financial advice.

Install only if you want a local MACD calculator and educational trading guide. Do not treat its BUY, SELL, stop, target, or hold language as personalized financial advice, and do not place trades based only on this skill's output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This skill materially exceeds simple MACD computation by providing prescriptive trading guidance, including crossover interpretation and recommended actions. In an agent context, that can influence real financial decisions without suitability checks, market context, or safety caveats, making it a genuine scope/safety issue rather than a harmless educational embellishment.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The additional commands provide broad trading playbooks, entries, stops, targets, and filtering rules that go well beyond MACD calculation. In a tool advertised as a calculator skill, this increases the chance that users or downstream agents treat the output as actionable financial advice, which creates safety and policy risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script emits concrete action recommendations such as holding longs, avoiding longs, or taking profits without any warning that the output is informational only. Because MACD signals are noisy and context-dependent, such guidance can mislead users into making trades they perceive as endorsed by the tool, increasing risk of financial harm.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The educational outputs include explicit buy, sell, short, stop-loss, and target instructions without accompanying warnings about market risk, limitations, or non-advisory status. In the context of an agent skill, these prescriptive instructions are more dangerous because they can be surfaced as authoritative recommendations and acted on directly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal