ClawHub

worldquant-miner-cn

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned but needs Review because it automates a financial platform account while normalizing unsafe credential handling and unattended submissions.

Install only after reviewing the original Docker Compose files, Dockerfiles, Python code, and dependencies from a trusted source. Do not put real WorldQuant credentials in a repository or command line; use a safer secret store or tightly permissioned local file, and keep automated submission disabled or manually approved until you understand exactly what account actions will occur.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README explicitly instructs users to place sensitive credentials in a plaintext file, which increases the likelihood of credential theft through accidental commit, insecure filesystem permissions, backups, logs, or container volume exposure. In this skill's context, the credentials appear to grant access to a trading/alpha-generation platform, so compromise could enable unauthorized account access, job submission, or misuse of proprietary research workflows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly instructs users to place WorldQuant credentials in a plaintext file, which materially increases the chance of credential disclosure through local compromise, backups, shell history, accidental commits, or insecure file permissions. Although this is presented as setup guidance rather than exploit code, it normalizes an unsafe secret-handling practice and can directly lead to account takeover if the file is exposed.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill advertises automatic testing and submission to the external WorldQuant platform but does not clearly warn users that credentials and user-generated data will be transmitted to a third-party service. In a finance-related automation tool, this omission can cause users to underestimate privacy, account, and compliance risks associated with unattended network operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly tells users to place WorldQuant credentials in a plaintext `credential.txt` file, but does not warn about file permission, accidental commits, backups, or local disclosure risks. In a project that automates authenticated actions against an external financial platform, this increases the chance of credential compromise and account misuse.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation shows `python machine_miner.py --username your_worldquant_username --password your_worldquant_password`, which encourages passing secrets on the command line. Command-line arguments are commonly exposed through shell history, process listings, logging, and system monitoring tools, making credential leakage likely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises fully automated 24/7 operation, continuous mining, and direct submission to the WorldQuant platform without a clear warning that unattended authenticated actions can affect an external account. In this skill's context, automation is tied to credentialed API use and submission behavior, so accidental overuse, policy violations, or unwanted submissions become materially more dangerous.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal