Openclaw Tradingview Quant

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only TradingView analysis skill with real financial-risk caveats, but no hidden code execution, persistence, account access, or trade execution behavior was found.

Install only if you want educational trading-analysis frameworks. Do not treat generated entries, targets, stops, position sizes, options structures, or sector weights as personalized financial advice, and verify market, locale, data freshness, and RapidAPI key handling before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (10)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill advertises very broad finance-related activation criteria such as stock analysis, technical indicators, market screening, risk management, and trading strategies. This can cause the skill to trigger on a wide range of common financial queries, increasing the chance it is invoked when the user did not specifically request this methodology and potentially steering responses toward a single external framework.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The example includes explicit buy guidance, entry ranges, target price, stop loss, and position sizing without any accompanying warning that the content is informational and not financial advice. In a trading-analysis skill, users may reasonably treat example outputs as endorsed recommendations, which can encourage risky financial decisions and create compliance, trust, and user-harm exposure.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This crypto example provides directly actionable trading instructions with precise breakout entry, target, and stop-loss levels but no warning about volatility, potential loss of capital, or that the strategy is illustrative only. Because crypto markets are especially volatile and retail users may copy such instructions verbatim, the omission increases the likelihood of financial harm and over-reliance on the skill.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This section provides concrete trading entry, target, stop-loss, and success-rate guidance without an explicit warning that the material is educational only and can cause financial loss if followed. In a skill explicitly intended for investment analysis, users may reasonably treat these examples as actionable advice, increasing the chance of harmful reliance.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The file presents explicit scoring bands tied to recommendations such as 'Strongly Recommend' and later includes buy/sell signals, but it does not clearly warn users that the material is informational/educational only and not financial advice. In a skill specifically designed for investment analysis, users are likely to treat these outputs as actionable trading guidance, increasing the risk of harmful financial decisions and potential compliance issues.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The file presents specific buy recommendations, entry ranges, target prices, stop losses, and position sizing without any financial-risk warning or suitability disclaimer. In a trading-analysis skill, users may interpret this as actionable financial advice, increasing the chance of harmful real-world losses if followed blindly.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The workflow description is broad enough that the skill may be invoked for loosely related market-analysis requests without clear boundaries or user intent checks. In an investment-analysis context, overly broad triggering can cause the agent to provide financial analysis or opportunity discovery in situations where the user did not explicitly ask for it, increasing the chance of inappropriate advice or unnecessary data access.

Natural-Language Policy Violations

Medium

Confidence: 82% confidence
Finding: The example hard-codes a China market and Simplified Chinese news language without confirming the user's locale or preference. This can lead to mismatched data retrieval, incorrect assumptions about the user's market of interest, and inadvertent exposure of localized content that the user did not request, though the security impact is limited in this non-privileged context.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The example trigger phrase "Batch analyze tech leader stocks" is broad and underspecified, which can cause the skill to activate for generic market-analysis requests that do not clearly ask for this specific workflow. In an agent environment, overly broad invocation patterns can lead to unintended tool usage, unnecessary external data calls, and user confusion about why batch analysis was performed.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The example trigger phrase "Help me select strong stocks from China A-shares" is broad enough to match many ordinary stock-analysis requests, which can cause the skill to activate in contexts beyond its narrowly intended workflow. Overly broad invocation language increases the chance of inappropriate routing, unexpected financial-analysis behavior, and accidental use where more general or safer handling would be preferable.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal