ClawHub

A 股投研指挥官

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis orchestrator is mostly purpose-aligned, but it can automatically store investment reports, including portfolio holdings and profit/loss details, in Feishu without clear per-run consent or local-only controls.

Review this skill before installing if you use it with real portfolios or proprietary watchlists. Only use it if you are comfortable with reports and charts being sent to the configured Feishu space, and require manual confirmation or a local-only/redacted workflow before analyzing holdings, profit/loss, client data, or private strategy notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs use of proxy control and direct external data collection during the stock-debate flow, which exceeds a pure orchestration role and increases the chance of covert network behavior. In an agent setting, automated proxy start/stop plus scraping introduces data exfiltration, policy bypass, and unreviewed outbound access risks, especially because the behavior is embedded in normal analysis steps.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The document claims the orchestrator 'does not fetch data itself,' but later directs direct API calls, Python execution, and web searches. This mismatch is dangerous because operators and users may grant trust based on the stated limited role while the actual instructions expand capabilities and outbound access beyond that representation.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill's declared child-skill inventory suggests delegated data access, but later sections instruct this skill to use Tushare directly as a primary data source. This inconsistency weakens security review because it obscures where secrets are used and which component is responsible for outbound requests, making permission scoping and auditing harder.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The reference doc instructs users to call a third-party analysis API directly with a bearer token, which expands the orchestrator's effective capability from local coordination into external data transmission and credential use. In a skill that coordinates investment workflows, this is risky because users may send symbols, strategy context, or other sensitive research inputs off-platform without explicit trust, scope, or privacy guidance.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Broad trigger phrases like general requests for opportunities or热点 can cause accidental activation of a high-action workflow that performs multiple downstream calls and external writes. In this skill, misfire risk is amplified because activation can launch broad market scans, child-skill orchestration, and document archival without a strong confirmation boundary.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The individual-stock analysis trigger includes vague phrases like 'look at XX' or generic stock-code references, which can overlap with ordinary conversation and unintentionally start an expensive, networked, and archival workflow. Because this mode chains multiple analysis engines and may write results externally, accidental invocation has meaningful privacy and operational consequences.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The portfolio-checkup mode uses broad phrases tied to personal holdings, which risks capturing sensitive financial conversations and automatically processing them as portfolio analysis. In this context the danger is higher because holdings data is especially sensitive and the workflow later instructs automatic report generation and external archival.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description advertises automatic Feishu archival but does not clearly present it as an external persistence action requiring user awareness and consent. This is risky because users may provide analysis targets or financial context without realizing the content will be stored on a third-party platform.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow includes automatic creation of Feishu documents and image uploads, but there is no user-facing warning that analysis content and generated charts will be transmitted to an external service. This creates a direct data exfiltration path for potentially sensitive queries, watchlists, or investment reasoning under the guise of normal report generation.

Missing User Warnings

High
Confidence
98% confidence
Finding
The portfolio-health workflow processes highly sensitive holdings and profit/loss data, then pairs it with automatic archival behavior elsewhere in the skill. Without an explicit privacy warning and consent gate, this can expose a user's personal financial positions to external storage and create lasting records of sensitive investment data.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The documentation includes a destructive portfolio removal command with no warning, confirmation, or recovery note. In an orchestration context, operators may copy commands directly, so omission of safeguards increases the chance of accidental deletion of locally tracked holdings data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example shows submitting analysis requests to an external API using a bearer token but gives no user notice about outbound data flow, third-party processing, or token handling risks. This can lead users to disclose research inputs or credentials without understanding that data leaves the local skill environment.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal