ClawHub

xhcj-finance

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a finance data tool, but its credential-handling guidance and dependency posture need review before installation.

Install only after reviewing how the API key is provided. Avoid putting secrets directly on the command line; prefer an environment variable or protected config file, and update or pin dependencies with a lockfile before use. This is a Review verdict, not a finding of malicious intent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation explicitly instructs users to pass the API key as a command-line argument, which can expose the secret through shell history, process listings, audit logs, and terminal recording tools. In a finance-related skill, the API key likely grants access to paid or sensitive market-data services, so accidental disclosure can enable unauthorized API use and account abuse.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "ISC",
  "type": "commonjs",
  "dependencies": {
    "axios": "^1.13.6",
    "commander": "^14.0.3"
  }
}
Confidence
91% confidence
Finding
"axios": "^1.13.6"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"type": "commonjs",
  "dependencies": {
    "axios": "^1.13.6",
    "commander": "^14.0.3"
  }
}
Confidence
90% confidence
Finding
"commander": "^14.0.3"

Known Vulnerable Dependency: axios==1.13.6 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-42037 (Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in f) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
axios==1.13.6

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal