ClawHub

a-stock-investment

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward A-share market search helper that uses Tavily for live finance results, with no hidden persistence, destructive behavior, or unrelated data access found.

Install only if you are comfortable providing a Tavily API key and sending A-share-related search terms to Tavily. Avoid entering sensitive holdings, account details, or proprietary research terms, and treat generated market analysis as research support rather than financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description says it should trigger on very broad phrases like 'A股行情', 'A股走势', '股市行情', and similar common market-related requests. This increases the chance of unintended activation, causing the agent to invoke the skill when the user may only want general discussion, which can lead to unnecessary tool use and external data access.

Vague Triggers

Low
Confidence
88% confidence
Finding
The usage example uses vague phrasing like '今天A股怎么样' and '帮我分析一下股市' without defining boundaries for when the skill should or should not activate. Ambiguous examples reinforce overbroad routing behavior and may cause the agent to treat casual or high-level stock discussion as a request to call the skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that it uses the Tavily API to search for A-share information, but it does not disclose that user queries may be transmitted to a third-party service. This creates a privacy and data-governance risk, especially if users include sensitive financial interests, portfolio details, or proprietary research terms in their prompts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal