ClawHub

Gold Price Inquiry - 黄金价格查询

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward gold-price lookup skill that uses a disclosed JisuAPI key to fetch reference market data.

Install only if you are comfortable using a JisuAPI account key for gold-price queries. Treat any trend summary as reference data, not financial advice, and consider using a limited-quota API key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger guidance includes broad phrasing like similar gold-price questions, which can cause the skill to activate for loosely related financial discussions outside narrow price lookup. In an agent setting, overbroad invocation can expose API-backed behaviors and external calls when the user did not clearly request this skill, increasing the chance of inappropriate tool use or misleading financial responses.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The listed triggers include broad terms such as future trend and market outlook, which overlap with general financial analysis rather than the skill's concrete data-retrieval scope. This matters because the skill itself warns against fabricating predictions, yet the trigger text encourages invocation for predictive or advisory conversations where API price snapshots may be insufficient and could mislead users.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal