ClawHub

Munger Decision Free

Security checks across malware telemetry and agentic risk

Overview

This is a local decision-framework skill, but users should not treat its investment allocation examples as personalized financial advice.

Install only if you want an educational decision-analysis assistant. Treat investment percentages, action labels, and business/career recommendations as heuristic prompts, not professional financial, legal, or career advice. Verify important decisions independently, and expect possible runtime or quality issues because some referenced data files appear missing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documented thresholds for action recommendations do not match the implemented logic for L3 assessments, so users and downstream developers may rely on behavior that the code does not actually produce. In a decision-support skill that guides investment, career, and business choices, this inconsistency can cause materially different actions than intended and undermines trust in the safety controls.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documented investment cap conflicts with the implemented maximum-position values, which can lead users to allocate more or less capital than the system actually intends. Because this skill explicitly gives portfolio sizing guidance, contradictory limits are risky and can directly affect user assets.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The example claims an L3 case should return '谨慎推进', but the implementation would return '全力推进', creating a concrete contradiction in user-facing guidance. Since examples are often copied into production behavior or used by operators to validate outputs, this mismatch can miscalibrate decisions in sensitive domains like investing and business strategy.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The assessment interface omits `overconfidenceFlag` even though downstream code expects it, creating a type-contract mismatch. This can cause compile/runtime issues or silently bypass a safety downgrade path meant to reduce risky recommendations when overconfidence is detected.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The enum advertises crypto and relationship scenarios, but the allocation matrix does not implement them, which can produce undefined behavior or crashes when those scenarios are selected. In a decision assistant, unsupported scenarios being presented as available can lead to missing safeguards or incorrect recommendations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document gives concrete investment allocation recommendations without a clear warning that the content is not financial advice, despite operating in a decision-support context affecting user assets. This increases the chance that users will treat heuristic examples as prescriptive guidance and take losses based on the skill's outputs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal