ClawHub

Asset Allocation

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only investment-planning skill whose financial guidance is high-stakes but disclosed and aligned with its stated purpose.

Install only if you want educational portfolio-planning help and understand it may discuss specific funds, ETFs, Chinese platforms, and purchase steps. Do not treat it as licensed financial advice; verify product codes, fees, platform legitimacy, tax/regulatory fit, and suitability independently before acting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description is broad enough to trigger on many general investing or wealth-management conversations, which can cause the agent to enter a high-stakes advisory workflow without first confirming the user's intent, jurisdiction, or need for regulated financial advice. In financial contexts, overbroad invocation increases the chance of unsuitable recommendations or accidental personalization in situations that should remain educational or be referred out.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The workflow says to start whenever a user asks about investment or wealth topics, but it does not define when the process should not start, when to stay high-level, or when to halt due to missing information. That can lead the system to provide personalized-seeming financial guidance prematurely, despite incomplete risk, legal, or suitability context.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The execution section presumes Chinese platforms and directs the agent to provide step-by-step purchase instructions with specific product names and codes, without first confirming the user's country, language, brokerage access, or desire for transactional guidance. In a financial skill, this creates a meaningful risk of inappropriate jurisdiction-specific instructions and can push the interaction from education into actionable trade execution support.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal