ClawHub

A Stock Daily Review

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent stock-analysis purpose, but it asks for private portfolio details and advertises automatic WeChat delivery without enough controls or privacy scoping.

Review before installing. Use minimal or test portfolio data unless you understand exactly where WeChat reports are sent, how credentials are handled, how to redact holdings data, and how to turn off the nightly task. Treat the dependency skills and all trading recommendations as separate risks to review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill advertises automatic delivery of complete market reports to WeChat but does not explain what data is transmitted, whether portfolio contents are included, or what privacy/security controls apply. Because the skill also supports local portfolio tracking, users may unknowingly cause sensitive financial holdings and analysis to be sent to a third-party messaging platform, increasing privacy and data-leakage risk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill instructs users to store portfolio holdings, cost basis, and position size in a predictable local path under the home directory without warning that this is sensitive financial data. While local storage is not inherently unsafe, the absence of guidance on file permissions, encryption, or access control can expose private investment information to other local users, backups, logs, or misconfigured tooling.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal