ClawHub

Stock Evaluator

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only stock analysis skill with no credential or trading-account access, but its recommendations and dashboard template should be treated as research, not as financial advice.

Install only if you want an agent to perform detailed stock research and produce explicit trading-style recommendations. Verify all cited prices, metrics, insider activity, and news independently, watch for any dashboard placeholder values that were not replaced, and do not use the output as the sole basis for buying or selling securities.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill explicitly enforces a zero-fabrication policy, but the embedded React dashboard template is pre-populated with concrete prices, valuation lines, news headlines, forecasts, and other numeric examples. That creates a strong risk that an agent or downstream consumer will reuse invented values as if they were sourced facts, producing materially misleading investment analysis and undermining the skill's own safety constraints.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The template sets insider-buy and insider-sell fields to zero despite the skill stating that missing data must never be represented as zero and should instead be shown as N/A. This can falsely signal that no insider activity occurred, which is materially different from data being unavailable and can distort investment recommendations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly frames the output as actionable investment recommendations, including entry prices, stop losses, position sizing, and buy/hold/sell guidance, but only says the dashboard is 'not a standalone decision tool.' That is weaker than a clear financial-advice disclaimer and may cause users to rely on the skill for real trading decisions without understanding uncertainty, suitability, or regulatory limitations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This workflow instructs the agent to produce explicit BUY/HOLD/SELL recommendations, price targets, stop losses, and position sizes, but it does not require a clear user-facing disclaimer, uncertainty framing, or suitability check. In a stock-picking skill, these outputs can materially influence real financial decisions, increasing the risk of users acting on generated advice as personalized investment guidance.

Missing User Warnings

High
Confidence
93% confidence
Finding
The skill is designed to output specific buy/sell actions, entry prices, stop losses, and portfolio allocations without an explicit warning that the content is not financial advice or that data may be incomplete. Because users may act on these recommendations with real money, the absence of a clear caution materially raises the risk of harmful overreliance, especially when combined with the template's fabricated example data problem.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal