ClawHub

Smart Stock Trader

Security checks across malware telemetry and agentic risk

Overview

This is not malware, but it overstates stock-trading, backtesting, and paid signal capabilities that the shipped files do not support.

Treat this as unverified financial-advice documentation, not a working trading system. Do not pay for signals or act on trade recommendations unless the publisher supplies the missing implementation, data sources, performance evidence, support/refund terms, and clear proof of live-data freshness. Keep all trading decisions under human review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document presents multiple advanced capabilities as already implemented in V2.5, while later sections indicate core supporting features are only planned. In a finance/trading skill, this can mislead users into relying on nonexistent safeguards, review steps, or automation features when making financial decisions, increasing operational and monetary risk.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The skill advertises real-time/API-backed trading functionality and paid real-time signals, but the roadmap says real-time data API integration is still only planned. In a trading context, users may act on stale, simulated, or nonexistent live data under the false belief that decisions are based on real-time market inputs, which can directly cause financial losses.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file claims a backtesting engine is already available while the roadmap states that backtesting support is still planned. This is dangerous because users may trust strategy performance, risk controls, or historical validation that the skill cannot actually perform, leading to unvalidated trading decisions and potential financial harm.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal