ClawHub

vnpy

Security checks across malware telemetry and agentic risk

Overview

This is a coherent vn.py trading skill, but it includes copy-ready broker connection and strategy-start examples that could lead to real financial actions without enough safety scoping.

Review before installing or using with any brokerage account. Use paper trading or SimNow-style test accounts first, keep broker credentials in a secret manager or environment variables, pin dependency versions, and do not let an agent connect or start strategies without explicit confirmation, position limits, and a way to stop trading immediately.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README includes concrete strategy and order-submission examples such as buy/sell/short/cover in a live trading framework, but provides no warning that these actions can place real orders or cause financial loss if copied into a connected brokerage environment. In the context of an agent skill for quantitative trading, omission of risk and environment-safety guidance materially increases the chance of unsafe real-world use by inexperienced users.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This section gives concrete live-trading setup and strategy-start instructions that can place or prepare real market orders, but it does not warn users that the example may connect to a real broker or simulated environment capable of order submission. In a trading skill, omission of execution-risk and capital-loss warnings is dangerous because users or downstream agents may treat the example as safe boilerplate and trigger unintended financial actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes broker credential fields and third-party market-data access examples without warning about secret handling, secure storage, or the privacy implications of transmitting account and market data to external services. That can lead users or agents to hardcode credentials, expose them in logs, commit them to repositories, or send sensitive data to providers without understanding trust boundaries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal