ClawHub

Financial Engineer Digital Employee

Security checks across malware telemetry and agentic risk

Overview

The skill is not malware, but it understates that its instructions can process financial datasets, train models, and write model/report files.

Review this skill before installing. Only use it if you intend to let an agent run local ML workflows over financial or customer datasets and write model/report artifacts to disk. Do not process regulated, PII-bearing, or confidential business data unless you have approved the exact data path, output directory, retention plan, and whether AUTO tuning or autonomous experiments are allowed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Scope Creep

High
Confidence
98% confidence
Finding
The manifest explicitly claims `allowed-tools: []` and `no-executable-code`, yet the body repeatedly instructs execution of Python scripts that read datasets, train models, and write artifacts. This mismatch can mislead a host agent or reviewer into granting the skill a safer trust profile than its documented behavior warrants, enabling unauthorized code execution or local data processing under false pretenses.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The security notice says the skill does not execute code, process data, or write persistent outputs, but the documentation describes exactly those actions: reading parquet/csv files, training models, and saving reports/models/results to disk. False safety claims are especially dangerous in a financial/ML context because users may expose sensitive business or PII-bearing datasets believing the skill will not process or retain them.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest presents the skill as educational/advisory-only while simultaneously advertising end-to-end modeling functionality, creating ambiguity about whether the skill only gives guidance or actually performs modeling operations. This kind of capability confusion can cause policy engines, reviewers, or users to apply insufficient controls to a skill that may handle real datasets and produce deployable models.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The XGBoost tuning trigger phrases include very broad language such as generic requests to 'tune' or 'optimize', which can match ordinary user conversation without confirming scope, dataset, or consent. In a skill that can drive iterative modeling actions, ambiguous triggers raise the risk of unintended activation and downstream processing of sensitive financial data or computationally expensive workflows.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The experiment-workflow trigger phrases are under-constrained and can be interpreted from common exploratory requests, making autonomous experimentation easier to invoke than intended. Given the surrounding documentation describes multi-round automated experiments, this ambiguity increases the chance of accidental model runs, excessive resource use, and unintended analysis of regulated financial data.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal