ClawHub

Security Analysis: The Classic 1940 Edition

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a finance/investing framework with packaging and routing quality issues, but no evidence of hidden execution, credential use, persistence, exfiltration, or destructive behavior.

Before installing, expect this to provide investing analysis rather than execute actions. Treat outputs as educational, not financial advice, and be aware that the broad trigger terms may activate the skill for generic finance questions. The publisher should fix the invalid _meta.json and narrow the triggers for reliability.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Intent-Code Divergence

Low
Confidence
99% confidence
Finding
The JSON manifest contains unescaped double quotes inside the description value, which makes the file syntactically invalid JSON. This can break manifest parsing, prevent the skill from loading correctly, and cause downstream tooling to misread or ignore metadata that may be used for validation or security checks.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list is overly broad and includes generic finance terms such as 'investment', 'price', 'value', 'arbitrage', and 'merger', which can cause the skill to activate for many unrelated user requests. This creates prompt-routing confusion and can divert users into this skill unintentionally, leading to irrelevant responses, reduced reliability, and possible interference with higher-priority or safer domain-specific skills.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal