ClawHub
Back to skill

Security audit

us-stock-analyzer

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill is a documented, API-backed workflow with no hidden code, persistence, or unrelated access, though users should understand it sends ticker requests to Finskills.

Install only if you are comfortable using a Finskills API key and sending requested stock tickers and related query context to Finskills. Use a dedicated key with appropriate quota or billing controls, review Finskills privacy and retention terms for confidential investment research, and treat generated ratings or price targets as research output rather than financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The README states that the skill fetches stock data via the Finskills API but does not clearly disclose that user-provided stock symbols and related query context may be transmitted to a third-party service. This creates a transparency and privacy issue: users may unknowingly send potentially sensitive investment interests or research activity to an external provider, which can matter in regulated, proprietary, or confidential environments.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation conditions are broad enough to match many ordinary finance questions, such as generic requests to analyze or evaluate a stock, which increases the chance the skill is invoked when the user did not explicitly intend to use this external-data workflow. Unintended activation can lead to unnecessary third-party API usage, unexpected handling of user prompts under this skill’s assumptions, and reduced user control over when external financial analysis is performed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.