ClawHub

AI Model Team

Security checks across malware telemetry and agentic risk

Overview

This mostly behaves like a trading prediction tool, but it also includes under-disclosed code execution, external code imports, local writes, package patching, and rollback actions that users should review before installing.

Install only in an isolated environment after reviewing the scripts. Avoid setting AI_HEDGE_PATH or ALERT_WEBHOOK to untrusted values, do not run post_install.py or rollback helpers unless you intend those local mutations, and treat run_team.py as a command that writes into an Obsidian vault rather than a purely read-only forecast.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (24)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""

        try:
            result = subprocess.run(
                [self._get_venv_python(), "-c", code],
                capture_output=True, text=True, timeout=300,
                cwd=AI_MODEL_TEAM_DIR
Confidence
95% confidence
Finding
result = subprocess.run( [self._get_venv_python(), "-c", code], capture_output=True, text=True, timeout=300, cwd=AI_MODEL_TEAM_DIR

Tainted flow: 'NOTE' from os.environ.get (line 248, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
# 确保目录存在
os.makedirs(os.path.dirname(NOTE), exist_ok=True)
try:
    with open(NOTE, "a", encoding="utf-8") as f:
        f.write("\n".join(lines) + "\n")
    print(f"\n✅ 已写入 Obsidian: {NOTE}")
except Exception as e:
Confidence
94% confidence
Finding
with open(NOTE, "a", encoding="utf-8") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises no permissions while the implementation reportedly uses environment access, file read/write, network, and shell capabilities. That mismatch removes an important security boundary for reviewers and operators, increasing the chance the skill is deployed with broader access than users expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is a prediction system, but the reported behavior includes trading execution logic, credential/security management, observability/webhooks, registry utilities, and writing reports to local files. This scope expansion is dangerous because it hides materially different and more sensitive behaviors from reviewers, making it easier for risky actions like order placement, secret handling, and data exfiltration paths to slip through under a benign description.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This file implements live order-routing and execution behavior, including order splitting, retries, and simulated submission, which materially exceeds a prediction-only skill scope. In an agent setting, execution logic is dangerous because it can be wired into brokerage or exchange APIs later, enabling unauthorized or insufficiently governed trades and increasing the blast radius from analysis to action.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The adapter is labeled and described as a FinBERT/HuggingFace model, but the implementation actually uses VADER plus keyword matching. This is a true integrity and transparency issue because downstream users may make trading or risk decisions believing they are getting a neural finance-specific model when they are not, which can lead to incorrect trust, evaluation, and governance decisions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The adapter trusts the AI_HEDGE_PATH environment variable and prepends attacker-controllable paths to sys.path before importing code and loading model assets. In any environment where an attacker can influence environment variables or place files in the referenced directory, this can lead to arbitrary code execution through import hijacking or loading untrusted dependencies, which is materially more dangerous than ordinary configuration use in a prediction-only skill.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function claims to audit sliding-window future-data leakage, but it only sorts timestamps and checks for negative time deltas. That logic cannot detect whether feature construction or label generation improperly includes data from t or later, so users may receive a false sense of safety and deploy leakage-contaminated models.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script presents run_full_audit as a complete leakage audit, but it never invokes several defined checks such as future lookahead, feature leakage, and sentiment timing. In a trading-model context, this omission is dangerous because operators may trust a 'clean' result even though major leakage classes were never assessed.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code reads AI_HEDGE_PATH from the environment and prepends it to sys.path, allowing imports to be resolved from an arbitrary external directory before normal package locations. If an attacker or untrusted deployment environment controls that path, they can cause the skill to import malicious Python modules, leading to arbitrary code execution in the agent process.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The module includes outbound webhook delivery controlled by ALERT_WEBHOOK, which creates an external data exfiltration path not essential to local prediction logic. Even though intended for observability, alert messages and trace metadata can contain operational details and potentially sensitive error content, making this more concerning in a prediction skill that otherwise would not need unsolicited network egress.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script searches the virtual environment and writes directly into a third-party package's __init__.py under site-packages. Even if intended as a compatibility fix, silently modifying installed dependency code creates hidden behavior changes, weakens supply-chain integrity, and makes future auditing and reproducibility harder. In a prediction-focused skill, this capability is not clearly justified by the manifest and increases risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This file contains logic specifically designed to locate and alter installed dependency code in the environment. That is a risky capability because it enables arbitrary mutation of trusted libraries after installation, which can be abused to conceal behavior, bypass review, or destabilize other components sharing the environment. The stated purpose of the skill is forecasting, so this invasive modification path is broader than necessary.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The script performs local filesystem persistence into an Obsidian vault, a side effect not evident from the stated prediction purpose. Hidden or unexpected writes are risky in agent skills because they expand privileges from data analysis into local state modification, potentially leaking or planting content in user-controlled knowledge stores.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script defaults to writing into a user Obsidian vault under the home directory, which is unrelated to core forecasting behavior and creates non-obvious local side effects. In an agent skill, unexpected writes to personal document stores are dangerous because they can alter user data and may be chained with path control to target unintended files.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script imports and executes code from an external path controlled by the AI_HEDGE_PATH environment variable via sys.path modification. That gives whoever controls the environment the ability to load arbitrary Python modules, which is effectively arbitrary code execution under the user's account and is especially dangerous in agent environments where external skills should not silently broaden trust boundaries.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file is described as a runbook/operations manual, but it includes active backup and rollback routines that modify the local filesystem. Embedding destructive operational code in a documentation-oriented module increases the chance that a user or downstream agent invokes it unexpectedly, turning a reference artifact into one with side effects.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The function claims to roll back configuration, but it deletes and replaces the entire scripts directory. This mismatch is dangerous because callers may expect a limited config restore while actually triggering wholesale code replacement, which can break the system or restore untrusted code from backups.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The backup function is documented as creating a configuration backup, but it copies the scripts directory and writes additional metadata. This scope mismatch can mislead operators about what is being preserved and can propagate executable code snapshots rather than only configuration state.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The masking function exposes the first few characters of API keys, which can leak identifying secret prefixes into logs, UIs, or telemetry. While partial masking is common, the module advertises sensitive data masking broadly, and unnecessary disclosure of any secret material increases the chance of credential correlation or misuse when combined with other leaked data.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The predict path fetches external news data without any clear user-facing disclosure that network access will occur or what data may be transmitted. In an agent skill context, silent external access can violate privacy expectations, break restricted-runtime assumptions, or cause data governance issues if symbols or prompts are sensitive.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
Webhook alerts are sent externally without any user-facing disclosure, consent, or warning about the transmission of alert contents and trace data. This is dangerous because exception-derived messages or environment-specific identifiers may leave the system silently, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes modified content directly into an installed package file without confirmation, warning, backup, or rollback. Unprompted mutation of site-packages is dangerous because it changes trusted code outside normal package-management controls, making the environment harder to inspect, reproduce, and recover if something goes wrong. In this skill's context, that behavior is more suspicious because it is unrelated to core forecasting functionality.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The rollback path performs destructive deletion of the live scripts directory and immediate replacement without any confirmation, dry-run, or safety interlock. In an agent skill context, this is especially risky because automation may call it non-interactively, causing irreversible disruption from a mistaken or malicious trigger.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal