ClawHub

Invassistant

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed investment-analysis skill with optional report notifications, not evidence of malware or hidden exfiltration.

Install only if you want an advisory investment framework and are comfortable reviewing its financial logic yourself. Keep webhook notifications disabled unless you understand that holdings, prices, signals, and risk commentary may be sent to third-party chat platforms, and do not connect its output directly to live trading without independent confirmation and explicit human approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill can transmit generated portfolio reports to external webhook endpoints for WeCom, DingTalk, and Feishu. Because the report contains holdings, signals, and risk state, enabling push can disclose sensitive financial information to third-party systems or attacker-controlled webhooks if configuration is mis-set or compromised.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Outbound webhook messaging is a real data egress capability, not just local portfolio checking. In this context, the feature broadens the trust boundary by sending internally generated portfolio intelligence off-box, which becomes dangerous if secrets, holdings, or trading signals are sensitive or if webhook URLs point to unauthorized destinations.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file-level mode-selection documentation states a VIX threshold of 20, while the implementation also defines a different default threshold value elsewhere, creating inconsistent entry criteria. In an investment decision engine, this kind of drift can cause the system to select a riskier mode than operators expect, leading to trades being entered under materially different market conditions than documented.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The docstring says all three market checks must pass, but the implementation treats insufficient QQQ/SPX history as a default pass. This fail-open behavior weakens a portfolio risk gate: an attacker, bad integration, or data outage could omit enough history to bypass systemic-risk checks and allow entries during unsafe market conditions.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The function retrieves a configurable VIX threshold from params but then ignores it and hard-codes 20 for mode selection. This mismatch undermines operator control and can produce unexpected strategy behavior, especially in automated trading where thresholds are part of risk governance and environment-specific tuning.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The trend-entry logic is documented as requiring all four conditions, including breakout plus volume confirmation, but run_trend_check marks the breakout condition as passed even when volume is insufficient. In this investment skill, that weakens a core confirmation control and can green-light entries on weak breakouts, increasing false positives and exposure to failed moves.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
README 鼓励用户直接安装并通过自然语言触发“检查持仓”,但未明确说明该技能会处理敏感投资持仓信息,且仓库结构显示存在 send_*.py 推送脚本,可能将结果发送到企业微信、钉钉或飞书。对于会接触金融数据并可能对外发送结果的技能,这种缺少透明披露与告知同意机制会导致用户在不知情下暴露敏感信息。

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly requests write_to_file, replace_in_file, and execute_command, but the user-facing description does not warn that the skill can change files or run system commands. In a finance context, those capabilities are broader than necessary for pure analysis and could be abused to alter local data, create artifacts, or execute unintended commands under the guise of portfolio management.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The file is entirely in Chinese without any indication that the user selected or consented to Chinese-language content. In an investment-management skill, this can cause users to misunderstand critical risk limits, override rules, and drawdown controls, leading to unsafe financial decisions or failure to follow mandatory safeguards.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The push path sends portfolio report content externally without any explicit user-facing warning that sensitive investment data may leave the local environment. This increases the risk of unintended disclosure, especially because the generated report includes symbols, names, prices, entry/exit signals, and systemic risk commentary that may reveal holdings and strategy state.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
pandas>=1.5.0
Confidence
94% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
pandas>=1.5.0
Confidence
92% confidence
Finding
pandas>=1.5.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal