ClawHub

Investment Browser SEC Scraper

Security checks across malware telemetry and agentic risk

Overview

This instruction-only SEC filing analysis skill is purpose-aligned, but users should confirm any generated Google Sheet or shared report links before running it.

Install only if you want an agent to browse SEC EDGAR filings and create financial analysis outputs. Before running it, confirm the ticker, source filing, and whether PDF or Google Sheet exports should be created; keep generated sheet links private unless you intentionally share them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs automatic creation of a PDF report and a Google Sheet, then sending links to the user, which implies writes to external services and generation of shareable artifacts without any consent, confirmation, destination constraints, or access-control guidance. In a finance-oriented scraping skill, this can expose scraped data, create overshared documents, or modify user-accessible resources in ways the user did not explicitly authorize.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger examples are broad enough to match ordinary finance queries such as requests for a company's latest 10-Q or balance sheet, which can cause the skill to activate when the user did not explicitly intend to invoke it. In a finance context, unintended invocation can misroute user requests, override safer/default behaviors, or cause users to rely on a paid or specialized workflow without clear consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to browse sec.gov, generate a PDF and Google Sheet, and send links to the user without disclosing that external network access and third-party sharing/storage will occur. This can expose user prompts, derived analysis, or report contents to external services and creates a transparency and consent problem, especially in finance workflows where outputs may contain sensitive investment research or proprietary context.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrase "NVDA balance sheet" is broad enough to overlap with ordinary finance queries, which can cause the skill to activate unexpectedly during normal user conversation. In a finance-oriented skill, this is more dangerous because users are likely to discuss exactly these topics frequently, increasing the chance of unintentional invocation, misleading outputs, or unwanted data handling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal