ClawHub

Czsc Thinking

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed stock-analysis skill with optional market-data scripts; it does not execute trades or hide unrelated access, but users should treat its trading signals as informational only.

Install only if you want an educational/analytical trading framework. Do not let it place trades for you, verify any signals independently, consider your own risk and jurisdictional requirements, and protect your Tushare token by using a private environment or safer secret handling instead of pasting real credentials into shared command lines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document gives concrete buy/sell methodology, timing, and trading execution guidance in an agent skill intended to be used for stock analysis and strategy formulation, but it does not clearly warn that the content is educational only and not individualized investment advice. In this context, an agent could present these rules as actionable recommendations, increasing the risk of financial harm, user overreliance, and regulatory/compliance issues.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script emits explicit trading suggestions such as buy-on-dips, sell-on-rallies, and hold/cash guidance without any disclaimer, suitability warning, or statement that results are for informational/educational use only. In the context of a skill specifically intended to guide stock buy/sell analysis, users may reasonably rely on these outputs for real financial decisions, increasing the risk of harmful over-trust.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal