ClawHub

dexter

Security checks across malware telemetry and agentic risk

Overview

Dexter is a coherent financial-research skill, but users should understand it installs a separate GitHub project and stores API keys locally.

Install only if you are comfortable cloning and running the upstream Dexter project with Bun. Use least-privilege API keys, keep `.env` out of git, consider `chmod 600 .env`, and avoid entering confidential watchlists or internal investment research unless third-party LLM, financial-data, and web-search providers are acceptable for that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installation instructions explicitly create a `.env` file containing API keys on disk, but do not warn users about the persistence and exposure risks of storing credentials in plaintext. In a cloned repository workspace, those secrets may be accidentally committed, read by other local processes, or left behind in shared environments, making this a real secret-handling weakness even if common in developer workflows.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill states that international stock queries fall back to Tavily web search, but it does not clearly warn that user prompts and company/ticker research terms may be transmitted to a third-party provider. That creates a privacy and data-governance risk, especially if users submit sensitive investment research, proprietary watchlists, or internal analysis topics assuming all processing is local or limited to the primary financial data API.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal