ClawHub

理财推荐

Security checks across malware telemetry and agentic risk

Overview

This is a read-only Chinese wealth-management Q&A and product-suggestion skill, with no code execution or account actions, but users should verify product details and risks before acting.

Before installing, treat this as a bank-branded Chinese financial information and product-matching assistant, not an independent advisor. It appends a 富民银行 mini-program purchase prompt and loads a disclosed external image. Product yields, rankings, dates, liquidity tags, and suitability claims should be checked against the latest official product page and disclosure documents before any investment decision.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The row for '春系列诚享 5 天持有期 2 号 A 类份额' lists a product tag of '持有14天后变活期' while the product name and investment term indicate 5 days. This inconsistency can mislead users about liquidity and redemption constraints, causing unsuitable investment decisions or customer harm in a financial-product catalog.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The content explicitly markets bank wealth-management subsidiary products as having the advantage of being '收益稳健' without pairing that claim with any warning that such products are not risk-free and may incur losses. In a financial guidance skill, this can mislead users into underestimating investment risk and making unsuitable decisions based on incomplete or overly promotional information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The content recommends fixed-income products as suitable for risk-averse investors and promotes the bank's offerings without an explicit warning that returns are not guaranteed, investments carry risk, and the information is not personalized financial advice. In a customer-facing skill, this can mislead users into treating general educational content as a tailored recommendation, increasing suitability and consumer-protection risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal