ClawHub

BeerGaao 专业量化交易

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate stock-analysis skill, but it needs Review because it creates an optional brokerage trading context while documenting itself as data-only and non-trading.

Install only if you are comfortable with the Longport implementation. Use read-only market-data credentials, do not provide brokerage tokens with trading permissions, run it in a virtual environment, review or disable local SQLite/model persistence as needed, and treat trading signals and backtests as research rather than investment advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
`Portfolio.update_market_value()` computes `total_return` as `(self.total_value / (self.cash + pos_value)) - 1`, but `self.total_value` was just set to `self.cash + pos_value`, so the result is always 0. In a quantitative backtesting tool, silently reporting incorrect returns can mislead users into trusting invalid strategy performance and risk results, which is a real integrity issue even though it is not code-execution related.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The metrics summary labels `total_commission` and `total_slippage`, but `_calculate_metrics()` derives `total_commission` by summing whole trade `cost` and `proceeds`, which include principal amounts rather than just fees, while `total_slippage` is hardcoded to 0. This produces materially false reporting of transaction costs, undermining the accuracy of backtest results and potentially causing users to select unsafe or unprofitable strategies based on fabricated cost assumptions.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This module implements live order-routing primitives, broker abstractions, position updates, cash mutation, and sell/buy enforcement logic, which goes beyond a stated scope of analytics, strategy generation, backtesting, and risk management. In an agent context, exposing executable trading capabilities materially increases the risk of unauthorized or unintended market actions, especially if other parts of the skill can wire a real broker implementation into this interface.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The Longport provider claims it is for quote/data access only, but `_init_context()` imports and initializes `TradeContext` alongside `QuoteContext`. Even though this file does not place orders directly, creating a live trading context unnecessarily expands the capability surface and could enable downstream code, prompt-injection chains, or future modifications to perform trades with the configured credentials.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The code documentation explicitly says 'data query only, no trading', yet it constructs a `TradeContext` with real app credentials. This mismatch is security-relevant because users and integrators may trust the skill as read-only while it silently provisions write-capable trading primitives, increasing the risk of unauthorized or accidental trade execution if other code gains access to the context.

Vague Triggers

Medium
Confidence
71% confidence
Finding
The example trigger phrase for full review is extremely broad, making it easy for natural-language routing to invoke a comprehensive operation from an ambiguous request. In an agent setting, over-broad triggers can cause unnecessary data access, excessive API calls, or unintended workflows without clear user intent.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The tool performs persistent state-changing operations such as saving positions without any user-facing warning, confirmation, or audit-oriented guardrail. In an agent setting, this can let an LLM or indirect prompt trigger unintended portfolio record modifications, leading to integrity issues, confusion, or downstream automation acting on tampered state.

Missing User Warnings

Low
Confidence
73% confidence
Finding
full_review silently persists generated reports via state.save_report without clearly disclosing that analysis outputs are being stored. In agent workflows, undisclosed persistence can violate user expectations and create unnecessary retention of potentially sensitive watchlists, positions, or derived trading analysis.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal