ClawHub

AutoTradeResearch

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a research/backtesting skill, but it grants an autonomous coding agent and generated strategy code enough unchecked execution power that users should review it carefully before installing.

Install only if you are comfortable running autonomous coding-agent loops and Python strategy code in an isolated workspace. Do not use real broker or exchange trading keys, keep market-data tokens in environment variables only, review strategy.py before running backtests, and prefer running this in a sandbox with no sensitive files or credentials accessible.

SkillSpector (6)

By NVIDIA

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to inspect and modify files under `workspace/agent/`, and to read other workspace files, but it does not declare permissions for those file operations. Undeclared capabilities weaken user awareness and policy enforcement, making it easier for a skill to perform filesystem actions the user did not clearly consent to.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The evaluator will fetch price data from yfinance when the local CSV is missing, which breaks the stated bounded-files model and introduces uncontrolled network dependency. This can leak execution metadata, make results non-reproducible, and allow external services or changing datasets to influence evaluation behavior.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code dynamically imports and executes agent/strategy.py with full Python privileges via exec_module, so any top-level code in the agent-controlled file runs immediately during evaluation. In this skill context, that gives untrusted strategy code the ability to read/write files, access the network, or run subprocesses, which exceeds a bounded backtesting evaluator and creates a strong code-execution primitive.

Missing User Warnings

Low
Confidence
75% confidence
Finding
The skill tells the agent to ask the user for a TuShare token via environment variable and not to hardcode it, but it does not include a clear warning that the token is sensitive, should not be pasted into chat or stored in notes/files, and should be handled with minimal exposure. That omission can lead to accidental credential disclosure through conversation history, logs, or generated workspace artifacts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The evaluator executes agent/strategy.py automatically without any user confirmation or warning, increasing the chance that unreviewed agent-authored code is run implicitly. Because the file is agent-controlled and loaded dynamically, this amplifies the risk of accidental or malicious execution in environments where users may expect a fixed evaluator rather than arbitrary code loading.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script launches the agent in fully non-interactive mode with shell/edit permissions and no approval gate (`--ask-for-approval never` for Codex and `--permission-mode dontAsk` plus `Read,Edit,Bash` for Claude). Although the script tries to constrain writes via working directory, a malicious or compromised model can still execute arbitrary commands within the workspace, exfiltrate accessible data, or attempt side effects before the post-run manifest check detects only some filesystem drift.

Static analysis

Dynamic code execution

Critical
Finding
Dynamic code execution detected.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal