ClawHub

Investment Framework Skill

Security checks across malware telemetry and agentic risk

Overview

This is mostly an investment-analysis skill bundle, but it ships account-affecting publishing automation and live-looking embedded credentials that users would not expect from an analysis tool.

Install only after removing and rotating the embedded tokens, deleting or isolating ClawHub publishing/cron tooling, and narrowing tool permissions to the skills that actually need execution or network access. Treat outputs as educational investment analysis, not personalized financial advice, and review any script before allowing it to run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (159)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill presents itself as an investment analysis framework, but the finding indicates it also reaches into external data fetching, automated report generation, shell scripting, repository-maintenance workflows, and even hard-coded credentials/tokens. That breadth materially increases attack surface because a user invoking a seemingly analytical skill could trigger networked or shell-capable behavior unrelated to the declared purpose, including misuse of embedded secrets or execution of maintenance logic.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The document defines scheduled automation to publish batches of skills to an external platform, which is unrelated to the declared investment-analysis function of this skill. Hidden operational capabilities like deployment automation expand the skill’s effective behavior and can be abused for unauthorized distribution, spam, or propagation if the package is reused or executed in another environment.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file documents operational commands for monitoring, manually triggering, and validating publication to ClawHub, introducing external network and platform-management behavior unrelated to investment analysis. This mismatch increases supply-chain risk because a user or agent consuming the skill may inherit unexpected publishing capabilities and external side effects.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The plan explicitly proposes scraping auxiliary financial data and later suggests using a proxy if needed to bypass connectivity or access restrictions. In an investment-analysis skill, collecting market data is relevant, but scraping and proxy use materially increase compliance, abuse, and evasion risk because they can circumvent provider restrictions or terms and expand the skill beyond normal API-based retrieval.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The design includes `publish_to_feishu(report)`, which adds outbound document publication capability unrelated to the stated investment-analysis scope. Expanding a skill from local analysis/data retrieval into third-party publishing increases data exfiltration and unauthorized sharing risk, especially if reports may contain user inputs, portfolio details, or API-derived results.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Embedding external publishing to Feishu in the workflow introduces a non-essential outbound channel for an investment-analysis skill. This broadens the attack surface and creates a pathway for sensitive analysis outputs to be transmitted to an external service without clear necessity or scope declaration.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README presents the skill as producing investment suggestions, including fund recommendations and buy/investment advice, while later claiming it does not recommend specific funds or stocks. This inconsistency can mislead users and downstream systems about the skill’s actual behavior, weakening compliance controls and increasing the chance that users treat the output as regulated financial advice.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The compliance statement says the skill only provides educational analysis and does not recommend specific funds or stocks, but earlier sections describe concrete recommendations and investment advice. Such contradictory safety/compliance claims are dangerous because reviewers, platforms, or users may rely on the disclaimer while the operational content encourages regulated or high-stakes guidance.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill claims it does not recommend specific fund codes, but later provides named ETFs and concrete allocation percentages. This mismatch can mislead downstream systems or users into treating the content as generic education when it is actually actionable investment guidance, increasing compliance and suitability risk.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The section labeled as 'type-level' recommendations lists specific ETF/fund products, which is a direct contradiction. In an investment skill, this is dangerous because it can bypass internal guardrails meant to prevent product-specific recommendations and expose users to unsuitable or unlicensed financial advice.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is a cognitive-bias checker with allowed-tools limited to Read, yet its troubleshooting section references network, API, market-data access, and unrelated operational failures. This scope drift can mislead downstream agents or users into assuming the skill is permitted to access external data or rely on infrastructure outside its declared capability boundary, increasing the chance of unsafe tool chaining or inappropriate invocation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
References to executable scripts (`chmod +x scripts/*.py`) and external market-data providers (including API/network checks) are unjustified in a documentation-only bias-detection skill. Even without embedded code, these instructions can encourage operators or agent frameworks to execute scripts or seek unauthorized external data, violating least-privilege and blurring trust boundaries.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document classifies 33.3% as '低风险' even though the stated thresholds and included Python logic both place 30–60% in the medium-risk band. In an investment decision-support skill, this inconsistency can mislead users into underestimating cognitive-bias risk and proceeding with flawed decisions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is documented as a read-only, conceptual analysis tool with allowed-tools limited to Read, but the troubleshooting section references network/API-based market data retrieval and Tushare积分 usage. This creates a capability/documentation mismatch that can mislead operators about what the skill may depend on or attempt to do, increasing the risk of unexpected external data access, execution paths, or hidden operational requirements.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is documented as an enterprise-culture analyzer with read-only tooling, but the troubleshooting section introduces external market-data retrieval, network/API dependence, and stock-code handling unrelated to the stated purpose. This creates scope creep and can cause an agent or operator to treat the skill as authorized to fetch external financial data, increasing the chance of unintended data access, unsafe integrations, or execution paths outside the declared trust boundary.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The front matter declares allowed-tools: [Read], implying a non-executing, read-only skill, yet the body advises checking script execute permissions and external data fetching. This mismatch is dangerous because policy engines, reviewers, or orchestrators may trust the manifest while the content socially engineers users or downstream agents into running scripts or accessing networks beyond the declared permissions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The troubleshooting section introduces live network/API market-data behavior ('检查网络或 API 状态', 'Tushare 积分') that is not reflected in the manifest or main skill description, creating a scope mismatch. Hidden external data dependencies can cause the agent to invoke or rely on data acquisition paths users and reviewers did not expect, which is risky in an investment skill because it affects decision-making inputs and expands the operational surface.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The file presents itself as a simple long-term holding checklist with only the Read tool allowed, but the troubleshooting section implies executable scripts and live data fetching ('chmod +x scripts/*.py', network/API failures). This inconsistency is dangerous because reviewers and orchestrators may underestimate the skill's effective behavior, while downstream implementations could introduce unreviewed execution or data-access pathways.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script claims it can assess long-term investment suitability without external data, yet it produces explicit buy/hold/sell recommendations from fixed heuristics and default scores. In an investment-analysis skill, this is dangerous because users may rely on authoritative-sounding financial advice that is not grounded in actual company data, creating a risk of misleading decisions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The troubleshooting section introduces operational expectations around network access, executable scripts, API status, and Tushare points, which materially expands the skill from a pure analysis template into one that may fetch external market data. This mismatch can cause agents or integrators to enable network/data-access behavior that was not declared in the skill’s visible interface or description, increasing the risk of unintended external calls, privacy issues, and unreliable execution paths.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The declared input schema asks for descriptive company attributes and an optional PE ratio, but the troubleshooting guidance later assumes stock-code-based retrieval and specific exchange-formatted tickers. This inconsistency can lead implementations to infer or fetch undeclared inputs from external systems, creating ambiguous behavior, hidden dependencies, and a higher chance of incorrect analysis or unintended data access.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is documented as a conceptual, read-only civilization-analysis framework with `allowed-tools: [Read]`, but the troubleshooting section references network connectivity, API status, Tushare quotas, and executable script permissions. This mismatch can mislead downstream agents or users into attempting external data access or script execution outside the declared capability and trust boundary.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file presents itself as a read-only analytical skill, yet later operational guidance implies executable scripts and external data fetching. Such internal inconsistency is dangerous because agents may rely on the later instructions as authoritative operational steps, causing capability creep and unauthorized actions relative to the declared security model.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill declares `allowed-tools: [Read]` and presents itself as a simple read-only analysis flow, but the troubleshooting section references network/API access and external market-data acquisition. This mismatch can cause the runtime or downstream agents to assume a narrower trust boundary than the skill actually needs, creating a capability-confusion risk and potentially enabling unauthorized data access paths or hidden dependencies.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documented interface says the caller supplies fundamentals such as PE, PB, and ROE directly, but later guidance implies the skill may instead resolve a stock code and retrieve data remotely. This inconsistency is dangerous because validation, auditing, and permission decisions may be made on the declared contract while the real implementation operates on a broader input surface and external data flows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal