ClawHub
Back to skill

Security audit

jun-invest-option-master-agent

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be an investment-agent installer, but it also sets up automatic commits, background publishing, and agent registration with limited user control.

Install only if you are the intended owner of this specific investment-agent workspace and you want automatic local commits, post-commit sync, launchd background jobs, and ClawHub publishing. Review or disable the git hook and launchd job before use, and do not connect messaging accounts or store personal profile details unless you understand where they will be kept and published.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions even though its documented behavior includes shell execution, filesystem modification, network access, environment use, and scheduled background automation. That under-declaration prevents informed consent and weakens policy enforcement, making it easier for a user to install a skill that can persist, modify assets, and publish data without clearly understanding its capabilities.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The declared purpose is only installer/backup behavior, but the analyzed behavior reportedly also includes financial data retrieval, analytics, policy validation, and internal prompt/config inspection. That mismatch is dangerous because users may grant trust and execution rights for a simple installer while the skill actually exposes broader data-processing and network behaviors, increasing the risk of unexpected access to sensitive investment workflows or internal configuration.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file’s behavior materially diverges from the skill’s stated purpose of installing/upgrading/registering an agent workspace. Instead of setup logic, it drives identity formation, user profiling, and optional channel onboarding, which can mislead users into disclosing personal information and granting broader access than expected. The mismatch between manifest intent and actual instructions makes the skill context more dangerous, because users may trust it as infrastructure tooling rather than conversational onboarding.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The instructions encourage linking WhatsApp or Telegram accounts even though the skill is ներկայացված as an installer/registration tool, not a communications integration skill. That unjustified expansion of scope can induce users to connect external accounts under false expectations, increasing privacy and account-security risk. In this context, the mismatch makes the behavior suspicious and more dangerous than it would be in a clearly disclosed messaging-integration skill.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file's documented functionality is materially misaligned with the skill's declared purpose. A package presented as an installer/upgrade-and-register tool but containing an investment approval pipeline can cause operators or downstream agents to invoke unexpected financial-analysis behavior, expanding trust boundaries and increasing the chance of unsafe automation or policy bypass.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
The assembler enumerates `skills/*/_meta.json` across the repository and writes that inventory into the generated approval packet, even though packet assembly only appears to require the provided input JSON files. This creates unnecessary cross-scope data exposure: a user or downstream consumer of the packet learns installed skill names and versions unrelated to the task, which can aid environment fingerprinting and leak internal repository composition.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The prompt content is for a trading execution advisor, while the declared skill metadata describes an installer/register/backup utility. This capability mismatch is a strong indicator of hidden or repurposed functionality that could cause the agent to perform sensitive financial guidance outside its advertised scope, bypassing user and platform trust assumptions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The installer's documented purpose is to set up a specific isolated agent workspace, but it also reads skills.lock.json and performs network/package-management actions to install or update additional skills. This hidden side effect expands trust beyond the local package and can introduce unreviewed code into the environment, which is especially risky for an installer users may run expecting only a local copy operation.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script performs broader package-management actions than its stated workspace-install role by invoking clawhub update/install on skills from a lock file, using '--force' and preferring the latest version. In this skill context, that makes the behavior more dangerous because an 'isolated workspace' installer implicitly suggests limited local impact, while this code can modify the wider tool environment and pull in additional external code outside the reviewed package.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script modifies the target runtime workspace by initializing a Git repository and installing a persistent post-commit hook without an explicit per-use consent step. That creates hidden behavior in a user-controlled workspace and establishes a durable execution path that will run later on future commits, which is risky because it can trigger follow-on actions outside the immediate install flow.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The post-commit hook causes arbitrary script execution on every future commit by invoking sync-runtime-to-artifact.sh, creating a persistent and potentially non-obvious execution mechanism. If that referenced script is changed, compromised, or performs networked backup/registration actions as suggested by the skill metadata, normal Git commits could unexpectedly exfiltrate data or alter external state.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly states that changes in the runtime workspace are automatically committed, synchronized to the publish artifact, and then periodically published to ClawHub, but it does not clearly warn users that local edits may be turned into remote repository and distribution changes. This is dangerous because users may install or run the skill expecting a local setup action, while it actually establishes an automated path for persistent source control commits and external publication of future changes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly states it installs post-commit hooks, scheduled launchd publishing tasks, and automatic backup/versioning, but it does not present a clear warning or consent flow about persistent background activity that modifies and publishes agent assets. This is risky because automatic publication can expose workspace contents or changes over time, and persistence mechanisms can continue operating after the user forgets they were installed.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill defines very broad activation phrases that trigger update/install behavior after a single short utterance, with no confirmation step or scope validation. In this context, the triggered action performs package update, installer execution, and agent registration, so accidental or socially engineered invocation can cause real system changes beyond ordinary chat behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to run a forced ClawHub update, execute an install script, and register the workspace non-interactively, but does not require a warning or consent flow describing filesystem and configuration changes. Because these are state-changing operations that may modify local assets and agent routing, the lack of explicit warning materially increases the risk of unintended installation, overwrite, or persistence-related changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to write identity and user profile details, including name, timezone, and notes, into local files without first warning the user or obtaining meaningful consent. This creates a privacy risk because personal data may be stored persistently in the workspace beyond the user’s expectations, especially in what is presented as an installer context. The surrounding context increases risk because users may not anticipate data collection from a bootstrap file for infrastructure setup.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file proposes linking external messaging accounts without warning users about privacy exposure, account control implications, or the security consequences of connecting third-party channels. Users could unknowingly extend the agent’s reach into personal messaging environments, creating opportunities for data leakage or misuse. In this skill, that is especially problematic because the declared purpose does not prepare users for communications-account integration.

Missing User Warnings

Low
Confidence
79% confidence
Finding
Telling the agent to delete the bootstrap file without a confirmation or warning can remove traceability and user visibility into what initialization instructions were followed. While lower severity than the privacy issues, it can hinder auditability and make it harder for users to review or revert onboarding behavior. In a skill already showing purpose mismatch, automatic cleanup is more concerning because it can conceal unexpected setup steps.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The prompt explicitly authorizes the agent to modify files in a real workspace, run validation scripts, commit changes, and create a publish trigger file, all without any user confirmation or approval gate. In an agent skill, this creates an unsafe autonomy path where prompt-driven changes can persist and be distributed outside the local environment, increasing the risk of unintended code, prompt, or configuration tampering.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The prompt mandates `git add -A && git commit` in the workspace as an automatic duty of the agent, which can persist arbitrary modifications without the user's informed consent. Automatic commits also reduce opportunities for human review, making prompt injection, accidental corruption, or stealthy configuration changes materially more dangerous.

Missing User Warnings

High
Confidence
99% confidence
Finding
The prompt instructs the agent to publish to ClawHub automatically, including by creating a `.publish-now` trigger file for major updates, with no explicit warning to the user that changes may be externally distributed. This is especially dangerous because it turns a local prompt-driven modification into a supply-chain style propagation mechanism, potentially spreading unsafe or compromised artifacts to downstream users or systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer silently configures unattended daily publishing via launchd on macOS as a best-effort side effect, without clear disclosure or explicit consent. Creating a persistent scheduled task that may publish or sync data from an agent workspace expands the trust boundary and can lead to unintended data exposure, repeated outbound activity, or persistence the user did not knowingly approve.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The script registers the agent non-interactively and suppresses all output, so the user may not realize a new agent has been added to the local OpenClaw environment. Silent registration reduces informed consent and can enable unexpected agent availability or execution in later workflows, especially when combined with automatic installation behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal