ClawHub

ZJTJ-SAR指标计算器

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed stock-analysis helper with no hidden execution or trading authority, but users should treat its buy signals as rough heuristics.

Install only if you want a heuristic A-share SAR/ZJTJ screening aid. Do not rely on its “recommend buy” output as financial advice; verify the logic, account for the documented/code mismatch, and use independent due diligence before making trades.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation promises a four-factor scoring model including market sentiment and a >=60-point threshold, but the actual code only evaluates three conditions and recommends based on a simple count. In a financial decision-support skill, this mismatch can mislead users into believing recommendations are more rigorous than they really are, increasing the risk of harmful trading decisions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase '帮我分析股票' is broad enough to match many ordinary investing questions, causing the skill to activate in contexts where the user did not specifically request this methodology. Because the skill produces recommendation-like output, overbroad invocation can lead to unintended financial guidance being surfaced without sufficient context or consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill generates '建议买入' or recommendation-style output but does not provide a clear warning that results are heuristic, approximate, and not financial advice. In the context of stock selection, omission of explicit risk disclosure materially increases the chance that users will over-trust the output and make consequential financial decisions.

VirusTotal

48/48 vendors flagged this skill as clean.

View on VirusTotal