ClawHub

Technical Indicators

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent A-share technical-analysis toolkit, but users should treat some sentiment and signal outputs as rough proxies rather than verified analysis.

Install only if you are comfortable with the skill fetching market data from external financial-data providers. Treat generated signals, sentiment scores, and backtests as informational only, especially the forum/news/policy sentiment components that use simplified proxies or neutral defaults rather than full text analysis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The function claims to perform forum sentiment analysis, but actually reuses industry board performance as a proxy. This is a specification-integrity issue: downstream users may make trading or risk decisions believing the system analyzed retail/forum discourse when it did not, causing misplaced trust and unsafe automation.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The function advertises policy sentiment interpretation but always returns a fixed neutral score, regardless of actual policy content. In a financial analysis skill, this creates deceptive output that can suppress meaningful risk signals and mislead operators into assuming policy analysis occurred.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code claims to assess industry news sentiment, but only measures the proportion of industry boards with positive price changes. This conflates price action with news analysis, which can mislead users about data provenance and cause inaccurate confidence in the resulting sentiment score.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The scanner advertises filtering by trend strength, but it reads trend_strength from get_supertrend_levels(), which never returns that field. As a result, the filter silently degrades to the default 'weak' path and may suppress or misclassify signals, creating misleading trading output and reducing trust in downstream automation.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The code performs outbound requests to AkShare to fetch market data, but there is no clear user-facing disclosure, consent, timeout handling, or egress restriction. In an agent/skill context, unexpected network access can expose usage metadata, violate operator expectations, and create privacy/compliance issues even if the destination is a legitimate market-data source.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal