ClawHub

Investment Buddy Pet

Security checks across malware telemetry and agentic risk

Overview

This finance companion is not clearly malicious, but it combines broad execution, persistent financial profiling, proactive messaging, sync/share features, and contradictory investment-advice safeguards that deserve Review before installation.

Install only if you are comfortable with a finance skill that can persist local user and holdings data, run a proactive heartbeat loop, fetch market data, and potentially generate actionable investment guidance despite its disclaimers. Before using it with real financial information, disable or remove viral/share, sync, profiling, and master-advice paths unless explicitly needed, and treat all outputs as non-professional educational content rather than investment advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (71)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares powerful tools (Bash, Read, Write, Exec, Message) and instructs agents to run scripts, read configs, and manage per-user state, yet there is no clear permission model, scoping, or user-consent boundary for those operations. In a financial assistant context, hidden or underspecified file, shell, and network-capable behavior can lead to unauthorized data access, persistence, outbound syncing, or execution of risky automation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior substantially exceeds the user-facing description, including analytics, persistent storage, network market-data retrieval, knowledge-base ingestion, config self-modification, cross-skill calls, and external syncing. This mismatch prevents informed consent and makes it easier for a seemingly harmless 'pet companion' skill to collect sensitive financial interaction data or perform autonomous actions the user did not reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill defines autonomous ingestion of conversation logs, market events, and feedback into a self-maintaining knowledge base, which materially expands behavior beyond a simple pet-style investment assistant. This increases data handling and persistence scope, creating privacy, governance, and unintended-action risks if the agent performs background collection or updating without explicit user consent and tight boundaries.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document says raw/ is immutable while other sections instruct the system to record new conversations, market events, and feedback into raw/ paths, creating contradictory write semantics. Such inconsistency can lead to unsafe implementations, accidental overwrites of source data, broken audit trails, and incorrect assumptions about provenance and data integrity.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The report's example pet messages include market-drop guidance such as '继续持有就好' and probability-based recovery claims after a 3% decline, which conflict with the documented hard constraint forbidding market-timing advice. In an investment-assistant skill, this inconsistency is dangerous because downstream prompt/template authors may treat these examples as approved behavior and generate regulated or misleading advice despite the claimed compliance layer.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The delivered file list includes 'viral_growth.py' and 'sync_manager.py', capabilities that exceed the described pet-companion investment-assistant scope and suggest growth automation or data synchronization features not explained in the safety model. In this context, undeclared propagation or sync behavior increases risk because a finance-themed skill also handles sensitive portfolio-related interactions, making hidden sharing, replication, or external data movement more concerning.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The README claims the skill only provides investment companionship and emotional support, but elsewhere documents user data storage, proactive heartbeat behavior, and a viral_growth.py component. This mismatch can mislead users and reviewers about the real behavioral scope, reducing informed consent and increasing the chance that higher-risk functionality is installed without proper scrutiny.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
A documented viral_growth.py module is not reasonably necessary for a pet-style investment companion and suggests hidden growth, referral, or propagation behavior outside the user's expected interaction model. In an agent skill context, unjustified self-promotion or propagation features are especially risky because they can be repurposed for spam, manipulation, or unauthorized outreach.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill presents itself as a companionship/education tool but includes concrete buy timing and position-sizing guidance for a named stock, which is specific investment advice. In a finance context this is especially dangerous because users may rely on the anthropomorphic framing and disclaimers while still receiving actionable recommendations that can cause financial harm or create regulatory exposure.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation explicitly says the skill must not recommend specific funds or stocks, but a later example contradicts that rule by advising on buying 贵州茅台 with suggested position size and strategy. Contradictory guidance weakens safeguards, increases the chance that downstream agents follow the unsafe example, and normalizes policy-violating investment advice despite nominal compliance language.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The design states user data must never be stored in the cloud and emphasizes local-only processing, yet the audit design later records user_id and full tool parameters without clearly constraining where those logs are stored or how sensitive parameters are redacted. In a financial-assistant context, tool parameters can contain portfolio details or other personal financial data, so this inconsistency can lead to unintended retention or transmission of regulated/sensitive data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document promises that all outputs include risk disclosures and that every message is compliance-checked, but the documented logic only appends disclaimers for selected trigger types and may return messages without a final disclaimer. In a financial assistant, this gap can lead to undisclaimed, persuasive investment-related content reaching users despite the design claiming universal safeguards.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The spec materially expands a 'pet companion' skill into a broad market-data and investment-advice orchestration layer, including real-time quotes, holdings analysis, and master-advice generation. This scope creep increases attack surface and user-harm risk because a lightweight companion feature is being positioned to process financial data and drive investment decisions without corresponding controls, disclosures, or clear authorization boundaries.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The compliance section claims the system must not recommend products or provide timing advice, but other parts of the spec instruct the system to answer questions like whether to buy a named stock and suggest position sizes and phased entry. That contradiction is dangerous because developers may rely on the stated controls while the actual examples normalize regulated, product-specific investment guidance.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The master summon request/response examples are centered on a specific security ('贵州茅台') and include actionable advice such as whether to buy now, build positions in batches, and cap exposure. This directly conflicts with the stated prohibition on product recommendations and market timing, creating a realistic path to unauthorized or non-compliant investment advice.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The document explicitly instructs the system to record every user interaction and feedback into persistent storage and reuse that data to build patterns. That exceeds the narrowly described pet-style investment assistant function and creates unnecessary collection of behavioral data, increasing privacy, profiling, and secondary-use risk without clear user consent or minimization.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The A/B testing, helpfulness tracking, and persona-tuning workflow turns ordinary user interactions into experimentation and profiling data. This expands the skill beyond answering investment questions into optimizing persuasion style and behavioral adaptation, which can affect user autonomy and create undisclosed profiling risk.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The document defines a proactive investment-advice system with broad trigger categories and intervention behaviors that exceed the stated 'pet companion' scope. This kind of scope expansion is dangerous because it can cause the agent to operate with materially different authority and user expectations than the manifest discloses, increasing the risk of undisclosed financial influence and unsafe autonomous nudging.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
These templates contain concrete buy/sell guidance such as reducing positions, holding, or adding exposure, which goes beyond a soft companion or reminder role. In a financial context, explicit trade recommendations can materially influence user decisions and create regulatory, safety, and consumer-protection risk if delivered without proper qualification, suitability checks, or disclosure.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The opportunity-alert template presents market conditions as a direct buy signal and includes position sizing, stop-loss, and target-price guidance. That is effectively actionable trading advice, and in the context of a pet-themed assistant it is especially risky because playful framing can lower user skepticism while still steering real-money decisions.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The template engine is designed to fetch market data, user data, and holding data and merge them for personalized messaging, which is broader than what a simple companion interaction appears to require. This creates unnecessary access to sensitive financial information and increases the blast radius if data is mishandled, overused, or exposed through prompts, logs, or downstream integrations.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The document explicitly defines continuous behavior analysis, dynamic score adjustment, quarterly reassessment, and personality evolution tracking, which materially expands the skill from a simple companion-style investment helper into persistent behavioral profiling. In a financial context, this creates sensitive inference risks because users may be monitored and categorized over time without clear disclosure or consent boundaries.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The schema stores long-term personality assessment records, recommended pets, dimension scores, and evolution logs tied to a user ID, enabling persistent financial-behavior profiling. This is sensitive data beyond what the manifest describes, and the mismatch increases the risk of undisclosed collection and retention of inferred personal traits.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The API exposes broad graph exploration primitives using user-controlled parameters, including full graph retrieval and arbitrary path traversal, without any shown authentication, authorization, or ownership checks. In the context of an investment assistant that models user-pet relationships, this can enable unauthorized enumeration of relationship data, inference of user behavior, and excessive data exposure beyond least privilege.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The document defines a broad proactive task engine that monitors market movements, user behavior, holdings risk, and external events to trigger interventions, which materially expands the skill beyond a passive 'pet companion' into an automated investment-influence system. In a financial context, undocumented expansion of scope is dangerous because downstream agents or operators may enable actions, alerts, or data processing that users did not reasonably expect from the manifest description.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal