ClawHub
Back to skill

Security audit

Stock Trend Scanner

Security checks across malware telemetry and agentic risk

Overview

This is a local stock-analysis helper that fetches market data and prints technical buy/sell-style signals, with no evidence of credential theft, persistence, or destructive behavior.

Install only if you are comfortable running local Python code that contacts yfinance/Yahoo for stock data and uses third-party packages. Treat the generated buy/sell signals as educational technical-analysis output, not professional financial advice or a basis for trades without your own research.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger list is broad and includes generic phrases like "stock analysis," "analyze [ticker]," and "check [stock symbol]," which can cause the skill to activate in contexts where the user did not intend to invoke this specific tool. In an agent environment, unintended activation can lead to irrelevant tool use, surprising behavior, or acting on financial-analysis workflows without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code generates explicit trading recommendations such as strong buy, buy, strong sell, and sell, and presents them in a polished report without any warning that the output is informational only and may be wrong. In a stock-scanning skill, this increases the chance that users will rely on the tool for real financial decisions and suffer monetary loss from inaccurate or oversimplified signals.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal