ClawHub

Einstein Research — Portfolio Risk Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent portfolio-risk analyzer, but users should understand that it processes private holdings, queries Yahoo Finance, saves local reports, and includes risk-mitigation suggestions.

Install it only in an environment where you are comfortable running unpinned Python packages and saving portfolio-derived reports locally. Do not provide brokerage credentials. Use a secure output directory, clean up reports when finished, and treat action items as educational risk flags rather than instructions to trade.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no tools or permissions, yet its documented behavior includes writing JSON and Markdown reports to local files. That mismatch matters because file output can expose sensitive portfolio holdings and risk metrics to unintended locations or consumers, and it prevents proper consent and policy enforcement around data handling.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior exceeds the declared scope by pulling external market data, writing local reports, and performing additional analytics and recommendations that are not clearly disclosed. This is dangerous because users and enforcement layers may authorize a narrow analysis skill while the skill actually processes sensitive holdings more broadly, sends or derives data externally, and persists outputs without transparent consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script does more than quantify risk: it emits prescriptive portfolio actions such as 'Go to 100% cash,' 'Reduce 50% of positions,' 'consider protective puts,' and hedge suggestions. In a tool described as a risk analyzer, this crosses into investment/trading advice and could cause users to take significant financial actions based on simplistic heuristics without suitability, disclosure, or authorization controls.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The generated markdown includes actionable trading advice that is not necessary for portfolio risk measurement, including sizing down positions, consolidating correlated names, and adding specific assets like TLT or GLD. This expands the capability from analysis into recommendation generation, increasing misuse risk and user reliance on unvetted financial advice.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The implicit triggers are broad enough that the skill may activate for general market-concern or allocation discussions without a clear request for portfolio-risk analysis. In context, that increases the chance of unnecessary ingestion of sensitive holdings data or launching a tool-driven workflow when the user only wanted high-level education or advice.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill does not clearly warn users that it ingests detailed portfolio holdings and writes analysis reports to JSON/Markdown files. Because portfolio composition and cash balances are highly sensitive financial data, insufficient notice undermines informed consent and raises the risk of privacy leakage through stored artifacts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The tool sends user-supplied portfolio tickers to Yahoo Finance via yfinance and also queries per-ticker metadata, which discloses portfolio holdings to a third party without explicit notice or consent. Even if share counts are not transmitted, holdings themselves can be sensitive financial information, and the skill context makes that especially privacy-sensitive.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal