ClawHub

jun-invest-option-master-installer (DEPRECATED)

Security checks across malware telemetry and agentic risk

Overview

This package is labeled as a deprecated installer alias, but it contains an active investment-research agent and automatic workspace update instructions that deserve manual review before installation.

Install only if you intend to run this as an active local investment-research agent, not merely a deprecated alias. Review the automatic upgrade flow, hard-coded workspace path, gateway restart note, Futu/yfinance/Stooq data access, and financial-risk boundaries; keep human approval mandatory for every trade and avoid running the upgrade trigger unless you are ready for local workspace and agent-registration changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file presents a deprecated installer alias, but its documented behavior still performs active system-changing operations: package update, installer execution, workspace synchronization, agent registration, and possible service restart. That mismatch increases the chance a user or downstream agent triggers privileged operational changes under the assumption that the skill is inert or only informational, which is a security-relevant integrity risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The instructions allow restarting the gateway even though the skill is described only as a deprecated installer alias. Restarting infrastructure can disrupt service availability and apply configuration changes without adequate justification or user awareness, making the capability more dangerous in context.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill metadata says this is a deprecated installer/alias, but the README documents a fully operational investment-research and options workflow with real subagents, risk rules, logging, and approval-packet generation. This mismatch can cause users or orchestration systems to invoke a deprecated or incorrectly classified skill for sensitive financial decision support, increasing the chance of bypassing governance, review, or deprecation controls.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The README claims the system only produces approval packets and does not auto-trade, but it also instructs operators to launch real subagents that generate trading recommendations, execution-related outputs, and daily artifacts. Even without direct order placement, this creates a decision-automation pipeline for financial activity, which can be misrepresented as passive documentation and therefore escape stricter controls for high-risk financial advice tooling.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The adapter silently falls back to an external yfinance-based source when broker-provided spot data is unavailable, expanding data egress and trust boundaries beyond the declared Futu/OpenAPI scope. In a finance agent, this can cause unreviewed outbound network access, leak user interest in specific tickers, and introduce integrity risks by mixing broker and public data without explicit consent or provenance controls.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The installer does more than copy the local agent workspace: it also reads slugs from skills.lock.json and invokes `clawhub install` to fetch and install external skills at their latest versions. This expands the trust boundary during installation, creates a supply-chain risk, and can introduce unreviewed code or changed behavior not captured by the local package contents.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The usage/help text describes only copying local agent files, but the script also performs network-adjacent dependency installation of external skills when `clawhub` and `node` are present. This omission reduces informed consent and can cause operators to run code-fetching behavior they did not expect, making the install process less transparent and harder to audit.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill defines an automatic upgrade path that executes shell commands and modifies the local workspace immediately upon a short user phrase, without any warning, review step, or confirmation. Because these commands update packages, run an installer script, and alter agent registration state, a mistaken or socially engineered trigger could cause unintended code deployment and persistent environment changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to immediately perform an upgrade flow on broad user phrases like '升级' or '安装升级' without clarifying scope, confirming consent, or previewing system-affecting actions. In an installer or workspace-management context, this increases the chance of unintended changes to files, dependencies, configuration, or integrations, especially because the text explicitly discourages follow-up questions before execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The prompt gives concrete options-trading structure, strike selection, entry, rolling, assignment, and exit guidance but does not require any explicit risk disclosure or user-facing warning that options can lead to material losses, including assignment and equity downside after assignment. In a financial agent, this omission can cause users to treat the output as safe operational guidance, increasing the chance of unsuitable trades and harm, especially because the prompt is framed as authoritative portfolio construction logic.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal