ClawHub

Trading Signal Pro

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only trading skill with no malicious code found, but it advertises 24/7 automated financial execution and profit claims without clear safeguards or evidence.

Review carefully before installing. Do not provide exchange credentials, wallet access, funds, or trading permissions unless the publisher supplies clear documentation for data sources, API permissions, read-only versus trading access, trading limits, manual approval controls, shutdown controls, and evidence that profit claims are non-guaranteed and substantiated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest and title present the skill as signal analysis, but the documentation explicitly advertises automated 24/7 execution and platform API integration, which materially expands it toward autonomous trading/bot behavior. That mismatch can mislead users, reviewers, and policy controls about what the skill actually does, increasing the risk of unauthorized trading activity or unsafe financial automation.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The revenue, payback, and profit-potential claims market the skill like an investment product rather than a neutral analysis tool. In a financial context, such claims can pressure users into trusting or deploying the skill based on promised returns, creating fraud, compliance, and user-harm risk if the claims are misleading or unsupported.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal