ClawHub

YahooClaw

Security checks across malware telemetry and agentic risk

Overview

YahooClaw is a straightforward market-data skill that fetches stock data from Yahoo Finance and computes local analysis, with finance-risk disclosures worth adding.

Install only if you are comfortable sending requested ticker symbols and news searches to Yahoo Finance through the package dependency. Do not treat generated BUY/SELL labels or confidence scores as financial advice, and avoid storing real API keys in tracked files or sharing logs that may contain secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Low
Confidence
89% confidence
Finding
The README advertises news aggregation and fallback API usage without warning that user-supplied stock symbols and related query context may be transmitted to third-party services. This is dangerous because users and integrators may unknowingly disclose request metadata to external providers, creating avoidable privacy and compliance risk in an agent environment.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The README instructs users to place API keys in a .env file but does not warn against committing secrets to version control or sharing them in logs/support artifacts. In practice this omission often leads to credential leakage, unauthorized API usage, cost abuse, and potential lateral exposure if users reuse credentials or mishandle deployment bundles.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README promotes technical indicators, sentiment analysis, and explicit trading recommendations such as BUY/SELL/STRONG_BUY without a clear disclaimer that outputs are informational only and not financial advice. In a finance-oriented skill, this can mislead users into over-trusting generated analysis and making harmful investment decisions, especially when confidence scores and recommendation labels are presented as authoritative.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal