ClawHub

options trader

Security checks across malware telemetry and agentic risk

Overview

This skill does not appear to steal data or execute trades, but its financial-trading claims substantially exceed what the code actually does.

Review this carefully before installing or relying on it for trading. Treat outputs as a rough educational calculation, not investment advice or a complete risk system. Do not assume it provides real-time Greeks, 12-factor analysis, automated risk controls, backtesting, or broker execution unless those capabilities are separately implemented and verified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill metadata and module description claim enterprise-grade capabilities such as real-time Greeks, automated risk management, and a production V11 engine, but the implementation only performs a simple local delta approximation and fixed-value scoring. In a trading context, this discrepancy can cause users or downstream agents to over-trust the tool's outputs and make financial decisions based on incomplete or misleading analysis.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The docstrings and help text advertise broader analysis such as a '12-factor' model and fuller Greeks support, while the code uses only a few heuristic checks and computes delta alone. In a financial decision-support skill, overstated analytical coverage is dangerous because users may assume model completeness and risk controls that do not actually exist.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Promoting direct broker execution and automated risk management without prominent financial-risk warnings can mislead users into treating the skill as safe for live trading. In this context, the absence of warnings is especially risky because the skill is positioned as professional and enterprise-grade, which can increase user trust and reduce caution around real trade placement.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal