ClawHub

Ninjatrader Dev

Security checks across malware telemetry and agentic risk

Overview

The skill mostly fits NinjaTrader development, but it includes concrete remote-copy deployment instructions to a specific host that users should review before installing.

Install only if you understand and intend the deployment workflow. Before allowing an agent to run commands from this skill, verify every local NinjaTrader path and remove or replace the hardcoded SSH/SCP host and destination with a target you explicitly authorize.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a NinjaTrader development reference, but it includes concrete SSH/SCP deployment commands to a specific remote host. That expands the skill from passive reference material into operational remote-access guidance, which can enable unintended file transfer or remote modification if an agent follows it automatically.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The hardcoded remote host and destination path provide a ready-made capability for remote access that is not necessary for a general NinjaTrader coding reference. In an agent context, such embedded operational details are risky because they can be reused to exfiltrate code, overwrite files, or act on a system beyond the user's immediate awareness.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs writing, overwriting, backing up, compiling, and remotely copying strategy files without an explicit warning that these actions modify local or remote systems. In an automated or semi-automated agent workflow, that omission increases the chance of unreviewed filesystem changes or remote deployment to the wrong target.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal