ClawHub

Israeli Stock Analysis

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Israeli stock-analysis helper that may contact financial data services and generate investment-style opinions, with no hidden persistence or destructive behavior found.

Install only if you are comfortable with the agent querying external financial-data providers for requested Israeli securities. Configure only API keys you intend to use, avoid sharing private portfolio or account details unless necessary, and independently verify any investment recommendation before acting on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to use environment variables, direct API calls, shell scripts, curl, and MCP/network access, but no explicit permission declaration or capability boundary is provided. This creates a real security governance gap: a caller may believe the skill is descriptive-only while it actually encourages privileged actions and outbound requests, increasing the risk of unintended data exposure, SSRF-like fetches, or shell misuse in an agent runtime.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill claims comprehensive financial, technical, comparison, and recommendation capabilities, but the described implementation appears limited to basic quote fetching plus templated analysis instructions. This mismatch is dangerous because it can mislead users and downstream agents into trusting fabricated or weakly supported investment analysis, creating integrity and safety risks in a high-stakes financial domain.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly directs generation of Buy/Hold/Sell recommendations, target prices, entry strategy, and conviction levels without any visible financial-risk disclaimer or warning about informational-only use. In a financial advisory context, that omission increases the chance users will over-rely on incomplete or hallucinated analysis and make harmful trading decisions.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script includes the API key as a query parameter in the request URL. Even over HTTPS, URLs are commonly exposed through application logs, proxy logs, monitoring systems, browser/history equivalents in tooling, and exception telemetry, which can lead to credential disclosure and downstream API abuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal