ClawHub
Back to skill

Security audit

A股分析技能包装器

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent A-share market data wrapper, but users should know it delegates execution to a separate local akshare-stock skill and may handle private portfolio details if holdings features are used.

Install only if you trust the separate akshare-stock skill already present on the machine. Avoid entering private portfolio holdings unless you know where that underlying skill stores data and how to delete it, and treat stock recommendations as informational research rather than personal financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation examples are broad natural-language phrases such as asking for market views, which could match ordinary conversation and trigger the skill unintentionally. In an agent environment, overbroad triggers can cause unwanted tool activation, unnecessary external data access, or accidental disclosure of user intent and query content to third-party data sources.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill introduces holding-management commands involving portfolio cost and quantity, but does not warn users that sensitive financial data may be stored, processed, or exposed in logs. Portfolio positions are highly sensitive personal financial information, and omission of handling, retention, and privacy guidance increases the risk of inadvertent disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.