ClawHub

Financial Event Historical Impact Analyzer

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed financial analysis skill that fetches market data and writes local reports, with notable quality and setup cautions but no evidence of hidden, destructive, or exfiltrating behavior.

Before installing, confirm you are comfortable providing a Tushare token, optionally a FRED key, and allowing requests to the disclosed financial data services. Do not paste or display API tokens in chat or logs; check whether a token is set without printing its value. Treat the macro-economy coverage as potentially incomplete until the macro_indicators data-flow bug is fixed, and only run sudo font-install commands after explicit admin review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
`infer_related_assets()` returns only benefited, harmed, and neutral assets, but does not include `macro_indicators` even when the selected event mapping defines them. This creates a silent integrity failure: downstream analysis, charts, and summaries can omit key macro signals while the tool claims full multi-economy macro coverage, leading users to make decisions on incomplete output.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The docstring states that every item will generate charts, and `get_all_related_indicators()` attempts to include `macro_indicators`, but those indicators are never present in the returned result. In a financial analysis skill, this is dangerous because users may trust the completeness of generated evidence and overlook omitted macro charts that materially affect interpretation.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
| 检查项 | 命令 | 失败修复 |
|--------|------|---------|
| **中文字体** | `fc-list :lang=zh family` | `sudo apt install fonts-wqy-microhei fonts-noto-cjk` |
| **TUSHARE_TOKEN** | `echo $TUSHARE_TOKEN` | 在 ~/.bashrc 中设置 |
| **输出目录** | `mkdir -p memory/reports/` | 确保有写权限 |
Confidence
91% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
| 系统 | 安装命令 |
|------|---------|
| **Ubuntu/Debian** | `sudo apt install fonts-wqy-microhei fonts-noto-cjk` |
| **CentOS/RHEL** | `sudo yum install wqy-microhei-fonts` |
| **macOS** | 系统自带 PingFang SC / Heiti SC |
| **Windows** | 系统自带 SimHei(黑体) |
Confidence
92% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
| 系统 | 安装命令 |
|------|---------|
| **Ubuntu/Debian** | `sudo apt install fonts-wqy-microhei fonts-noto-cjk` |
| **CentOS/RHEL** | `sudo yum install wqy-microhei-fonts` |
| **macOS** | 系统自带 PingFang SC / Heiti SC |
| **Windows** | 系统自带 SimHei(黑体) |
Confidence
92% confidence
Finding
sudo

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal