ClawHub

alva

Security checks across malware telemetry and agentic risk

Overview

The Alva skill is coherent for finance workflows, but it asks for broad setup, account-linked access, memory use, public sharing, and automation/trading powers that need review before use.

Install only if you are comfortable with Alva account authentication, global npm CLI changes, persistent Alva Cloud automations, public feed/playbook sharing, memory-based personalization, and possible trading or notification actions. Before use, ask the agent to get explicit approval before running setup scripts, upgrading tools, reading memory, granting public access, deploying automations, enabling push notifications, releasing public pages, or executing any trading action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (17)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The activation text is so broad that it can capture many ordinary finance-related prompts, increasing the chance this powerful skill is selected when a simpler, less-privileged tool would suffice. Overbroad routing raises the blast radius of all other risky capabilities in the skill, including shell execution, remote access, memory reads, and publishing actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to automatically read persistent user memory at session start and use it to tailor financial responses, but does not require clear notice or consent at the moment of access. Because the memory may contain identity, preferences, investment style, and prior context, this creates a privacy risk and can expose or reuse sensitive personal profiling data beyond the user's immediate request.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation normalizes mid-turn persistent writes without emphasizing that tool calls can create side effects before the agent finishes or before the user confirms the action. In an agent setting, this can cause unintended data persistence, partial records, or accidental writes triggered by ambiguous prompts or model mistakes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The generic feed reader example demonstrates broad access to deployed feed data using ambient credentials (`env.apiKey`) and user-controlled path components, but does not warn about sensitive-data exposure or least-privilege constraints. In a financial-data platform, this increases the risk of overbroad data access, inadvertent disclosure, or use of the tool to retrieve internal feed contents beyond the intended scope.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation states that enabling --push-notify will automatically read the feed's latest target and push it to playbook followers on Telegram, but it provides no privacy, consent, or audience-impact warning. In a financial platform context, automated outbound messaging can expose trading signals or sensitive strategy outputs to third parties, creating confidentiality, compliance, and reputational risk if operators enable it without understanding the consequences.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation includes destructive `alva fs remove --recursive` examples, including clearing feed data and full resets, without prominent warnings about irrecoverable deletion, environment restrictions, backups, or confirmation practices. In an agent skill context, users or downstream agents may copy these commands directly, making accidental data loss more likely even if the feature is legitimate.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation shows how to grant `special:user:*` read access, effectively making data publicly readable, but does not clearly warn about confidentiality, data classification, or the risk of unintentionally exposing private financial datasets and derived analytics. Because this skill operates in a financial data platform, examples that normalize public grants can lead to unintended disclosure of sensitive research, portfolio, or proprietary feed outputs.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation explicitly advertises arbitrary JavaScript execution with filesystem, SDK, and HTTP access, which materially increases the capability for data access, exfiltration, and remote interaction if invoked by an agent or user workflow. In a financial-analysis skill, this is more dangerous because the surrounding context implies access to market data, analytics code, and potentially sensitive portfolio or API material, yet the doc does not include clear security boundaries, trust assumptions, or warnings about destructive and exfiltration risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation exposes a subscription flag that can immediately execute the latest signal on a live trading account, but it does not require a separate confirmation step, preview of resulting orders, or explicit dry-run workflow before execution. In a trading skill, this is especially dangerous because users may subscribe expecting passive setup and instead trigger real market orders instantly, causing unintended financial loss.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation encourages enabling push notifications to all playbook followers and describes fan-out of signal content, but it does not warn that successful job output may be broadly distributed to subscribed users via Telegram. In a financial-data platform, this can expose sensitive or unintended trading signals, create privacy and compliance issues, and cause user-impact if operators enable notifications without understanding the audience and content being sent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide instructs users to grant read access to `special:user:*`, effectively making feed output publicly readable, but it does not clearly warn that this exposes data broadly beyond the creator's account. In the context of financial research, analytics, or portfolio-related outputs, this can unintentionally publish proprietary signals, internal analytics, or sensitive market data to all users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The markdown example renders raw markdown with markdown-it and injects the generated HTML directly via insertAdjacentHTML, but the documentation gives no warning or sanitization guidance. If consumers follow this pattern with untrusted markdown and HTML support enabled or later added through configuration/plugins, it can lead to stored or reflected XSS in any UI that displays user-controlled content.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The guidance includes delegated click handling that opens whatever URL is stored in `data-href` and special-cases YouTube URLs for inline embedding, but it does not require any scheme/domain validation before navigation. If feed data is attacker-controlled or insufficiently sanitized upstream, this can enable phishing, unexpected navigation to `javascript:`/malicious links depending on platform behavior, or privacy/security issues from embedding untrusted content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation instructs users to grant public read access to an entire feed path and shows publicly readable absolute paths, but it does not warn that any stored feed output may then be accessible to anyone. In this skill's financial-data context, feeds can contain portfolio data, research outputs, notifications, or signal content, so users may unintentionally expose sensitive or proprietary information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow instructs the agent to perform state-changing actions including writing files, granting public read access, deploying cronjobs, and releasing playbooks, but it does not require an explicit confirmation gate immediately before those irreversible or externally visible operations. In a remix flow triggered by a pasted prompt, this creates a real risk that an agent will publish code or expose assets under the user's account without the user fully understanding the write, deployment, and public-sharing consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script silently contacts GitHub and rewrites a local .env file to store a timestamp, with no user-facing disclosure or opt-in. While the data involved is minimal and the destination is a legitimate update endpoint, undisclosed network activity and local state mutation are still security-relevant because they can surprise users and create privacy or trust concerns.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The feed sends aggregated news and social content to external services including Brave, Grok/X search, and an LLM sentiment classifier, but the file contains no indication of consent, disclosure, or data-handling constraints. Even if the content is mostly public, forwarding collected third-party content and derived datasets to outside providers can create privacy, compliance, licensing, and customer-trust issues, especially in a financial research product.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal