ClawHub

Fund Advisor Cn

Security checks across malware telemetry and agentic risk

Overview

This is a local fund-planning and calculator skill with financial-advice and local-history privacy caveats, but no evidence of account access, exfiltration, unsafe automation, or deception.

Use this as educational fund-planning support, not licensed financial advice. Verify assumptions, risk tolerance, time horizon, fees, and local rules before acting. Avoid entering sensitive transaction details unless you are comfortable with them being stored locally in plaintext under the skill’s data directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description explicitly says to use the skill when making fund investment decisions, which is broad enough to trigger on generic financial requests without clear boundaries. Over-broad routing can cause the assistant to invoke specialized investment guidance in situations where the user did not request it, increasing the risk of unsuitable or overconfident financial advice.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description and usage sections do not define trigger constraints, exclusions, or negative examples, so the agent may match loosely related investing prompts. In a financial context, ambiguous activation criteria are risky because they can route users into advice-like outputs beyond the skill's intended scope.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The track command logs user-supplied transaction descriptions to a local history file without any disclosure, consent prompt, or access-control hardening. In a financial tool, even partial transaction metadata can reveal sensitive spending habits or personal information, and storing it in predictable plaintext under the user's data directory increases privacy risk if the host is shared or later compromised.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal