ClawHub
Back to skill

Security audit

investoday-stock-research-interpretation

Security checks across malware telemetry and agentic risk

Overview

This is a finance-analysis instruction skill that uses a disclosed market-data dependency and does not include executable code or hidden data access.

Safe to install as a research-summary aid, assuming you also trust the required investoday-finance-data dependency. Treat outputs as informational summaries of available research data, not investment advice, and be aware that broad finance questions may need a more specific skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill metadata advertises broad trigger phrases such as “机构怎么看” and “研报解读”, which are generic enough to match ordinary financial conversation outside the intended narrow workflow. This can cause unintended invocation, leading the agent to route users into this skill when they may have intended a different finance capability, increasing the chance of irrelevant tool use or unintended disclosure of contextual stock-analysis output.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger scenario section describes broad situations like asking how institutions view a stock or whether reports are bullish/bearish, but it does not define clear exclusion criteria or disambiguation rules versus adjacent skills. In a multi-skill agent, this ambiguity can misroute requests, causing the skill to activate on loosely related finance queries and produce analysis from the wrong data path or user intent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal