FinResearchClaw

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed finance research automation wrapper, but users should trust and review the external repo before running its auto-approved workflows.

Install this only if you are comfortable cloning and running the ChipmunkRPA/FinResearchClaw repo. For sensitive or costly work, review the repo and selected configs first, consider pinning a known commit, run in a sandbox or dedicated workspace, and avoid confidential datasets unless your chosen Codex/Claude/API provider is approved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script invokes `researchclaw run` with `--auto-approve`, which suppresses any confirmation gate before an autonomous finance research workflow executes. In a skill designed to run end-to-end research pipelines, this increases the chance of unintended actions, unsafe tool use, or costly/external side effects occurring without user review.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal