ClawHub

Common Stocks And Uncommon Profits

Security checks across malware telemetry and agentic risk

Overview

This investing skill is mostly a static guide, but it repeatedly tells users to gather company research by pretending to be a customer, which needs review before installation.

Install only if you are comfortable editing or overriding the research guidance. Users should avoid impersonation, false pretenses, soliciting confidential or nonpublic information, and any outreach that could violate law, company policy, platform rules, or securities regulations. The package itself does not run code or request credentials, but its investment-research advice should be treated cautiously.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill explicitly recommends calling competitors while 'posing as a customer,' which is deceptive real-world impersonation advice. That can facilitate fraud-like behavior, violate company policies or laws, and push users toward unethical information gathering under the guise of investment research.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger list is broad enough to activate on many ordinary investing discussions, including generic phrases like growth stocks, competitive advantage, and long-term investing. Overbroad routing is a safety issue because it can inject this skill's more problematic guidance into conversations where the user did not request Fisher-specific research methods.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The onboarding rule activates whenever the user 'just installed this skill' or 'doesn't know how to start,' which is subjective and may cause unsolicited invocation. That increases the chance the skill presents risky or off-scope guidance without a clear user request.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill encourages users to perform real-world outreach using deception and provides no warning about legal, ethical, or policy boundaries. In context, this is more dangerous because it operationalizes the behavior as a concrete next step, making misuse easy and likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The content explicitly advises the user to misrepresent themselves to competitors by posing as a potential customer. That is a deceptive social-engineering tactic, and the skill provides it as actionable guidance without any ethical, legal, or reputational warning. In an investment-research context, this is more dangerous because it operationalizes real-world outreach to third parties and could induce fraud-like misrepresentation, policy violations, or reputational harm.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file explicitly instructs users to 'call them posing as a customer' and to contact former employees for intelligence gathering without any warning about ethics, legality, platform rules, or disclosure expectations. That normalizes deceptive pretexting as an acceptable research technique, which can lead users to engage in dishonest outreach, violate terms of service, or elicit confidential information under false pretenses.

Ssd 4

Medium
Confidence
95% confidence
Finding
By embedding deceptive impersonation inside an example 'next concrete step,' the skill normalizes and legitimizes unethical conduct as standard research practice. This lowers user hesitation and turns a risky idea into an endorsed workflow, increasing the likelihood of real-world misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal