ClawHub
Back to skill

Security audit

Einstein Research — Edge Candidate Generator

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its trading-research purpose, but it needs review because it can run an unrestricted user-supplied helper command and can write exported files outside the intended strategies folder if given unsafe candidate IDs.

Install only if you are comfortable running it in a controlled workspace. Use trusted ticket YAML, avoid --force until you have checked the resolved output path, and only use --llm-ideas-cmd with a trusted command/provider because it receives market observations and runs with your local user permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not command_parts:
        raise AutoDetectError("--llm-ideas-cmd is empty")

    result = subprocess.run(
        command_parts,
        input=json.dumps(payload),
        text=True,
Confidence
97% confidence
Finding
result = subprocess.run( command_parts, input=json.dumps(payload), text=True, capture_output=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
]
    )

    result = subprocess.run(  # nosec B607 - uv is a known local tool
        ["uv", "run", "python", "-c", snippet],
        cwd=str(pipeline_root),
        env=_uv_env(),
Confidence
89% confidence
Finding
result = subprocess.run( # nosec B607 - uv is a known local tool ["uv", "run", "python", "-c", snippet], cwd=str(pipeline_root), env=_uv_env(), capture_output=True

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This helper adds optional external command execution for LLM idea generation, which materially expands the skill's capability beyond local research-ticket generation into arbitrary process launching. That mismatch increases the attack surface because a research workflow now includes an unbounded execution hook that can run attacker-chosen programs under the user's account.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`--llm-ideas-cmd` directly exposes arbitrary subprocess execution without meaningful restrictions on what may be invoked. In practice, anyone controlling invocation parameters can run any local executable with access to stdin/stdout and the caller's filesystem/network permissions, making this a command-execution primitive rather than a simple research feature.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The skill describes generating tickets and exporting pipeline artifacts into workspace directories like `tickets/` and `pipeline-candidates/` without warning the user that files will be created or modified. Even if the writes are expected for this workflow, lack of disclosure can lead to unintended repository changes, overwrites, or confusion in environments where workspace integrity matters.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal