ClawHub

Investment Researcher Digital Employee

Security checks across malware telemetry and agentic risk

Overview

The skill is an investment-research prompt package, but it under-discloses the external tools and network/data access its own instructions rely on.

Review before installing. Only use this skill in an environment where external financial-data access, web access, uploaded-document reading, and user notifications are explicitly allowed. Treat outputs as research drafts, not investment advice, and require human review before trading, portfolio, lending, or regulatory decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Scope Creep

High
Confidence
98% confidence
Finding
The manifest declares `allowed-tools: []`, while the body of the skill repeatedly instructs use of external tools such as `web_search`, `web_fetch`, `file`, `message_notify_user`, and `finx gildata-aidata`. This mismatch can cause policy bypass, broken enforcement assumptions, or unsafe deployment where reviewers believe the skill is tool-free even though operators or downstream agents may follow the embedded instructions and access external systems.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The security notice claims there are no network calls or external access, but many modules explicitly depend on web search, web fetch, and external financial data services. False security claims are dangerous because they lower reviewer suspicion and may allow the skill to be approved under weaker controls despite requiring data exfiltration and outbound connectivity.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The file says it contains no executable code or scripts, yet it includes concrete command-style invocations for tools and APIs. Even if not directly executable in this markdown file, these examples can be treated as operational instructions by an agent, undermining the stated non-executable safety posture and increasing the chance of unintended tool use.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The Global Finance Brief trigger includes broad phrases like general finance/news requests, which can make this skill activate outside its intended scope. Over-broad activation is risky because it can capture unrelated prompts and steer the agent into using external data sources or producing authoritative-seeming financial output without clear user intent.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Generic triggers such as '分析 XX 公司' or '分析 XX 行业' are underspecified and can overlap with many adjacent skills or contexts. This increases the chance of unintended activation, broad data access, or delivery of investment-style analysis where the user's actual need was narrower, informational, or in a different language/context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal