ClawHub

Investment Research

Security checks across malware telemetry and agentic risk

Overview

This is a coherent investment-research skill that uses expected finance and search data tools, with some credential and privacy cautions users should follow.

Before installing, verify the GitHub/source and version, use trusted qveris/Tavily credentials, do not print or share API keys, and avoid sending confidential portfolio, client, or trading strategy details through third-party data/search tools. Treat generated reports as research support, not financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide explicitly tells users to print `QVERIS_API_KEY` and `TAVILY_API_KEY` to the terminal to verify configuration. While this does not exfiltrate the secrets by itself, it unnecessarily exposes credentials on-screen and can leak them through terminal scrollback, screen sharing, logging, shell history workflows, or recorded sessions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to enable third-party tools (`qveris-official` and `tavily-search`) for live finance and web data, but it does not warn that user prompts, tickers, company names, research targets, or derived analysis context may be transmitted to external services. In an investment-research context, those queries can reveal sensitive trading interests, proprietary research focus, or client-related information, so the omission creates a real privacy and data-governance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal