ClawHub

Fin Advisor

Security checks across malware telemetry and agentic risk

Overview

The skill’s fund-advice purpose is understandable, but it appears to save sensitive investment preferences and send user queries to an external service without enough disclosure or control.

Install only if you are comfortable with the skill storing investment-related preferences in USER.md and potentially sending financial query text to an external slot-filling service. Before use, confirm where data is sent, how to opt out, how to delete stored profile fields, and whether writes to USER.md require explicit approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill claims a narrow fund-advisory scope, but it also performs stateful profile management by persisting `persona_preference` in `USER.md`. This expands behavior beyond the stated purpose and creates an unnecessary privacy/data-handling surface, especially if users are not clearly informed that their preference will be stored across sessions.

Scope Creep

High
Confidence
98% confidence
Finding
The skill instructs the agent to use an `Edit` tool to modify `USER.md`, but `Edit` is not listed in `allowed-tools`. This permission/specification mismatch is dangerous because it encourages undeclared file modification behavior and breaks the trust model users and platforms rely on when evaluating what a skill can change in the workspace.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill reads and updates `USER.md` in the user's workspace to store style preferences, but the documentation does not clearly disclose this persistence behavior before doing so. Undisclosed writes to user-controlled files are a security and privacy concern because they can surprise users, create cross-session tracking, and alter workspace state without informed consent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to record user risk preference, investment experience, and sector interests into USER.md without any visible requirement for user notice, consent, minimization, retention limits, or access controls. In a financial-advisory context, this is especially sensitive because profile data can reveal investment behavior and risk tolerance, creating privacy, compliance, and cross-session data leakage risks if persisted or reused improperly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends the user-derived query to an external slot-filling service over the network, which creates a real data exfiltration/privacy risk if queries contain sensitive financial intent, fund selections, or other user-provided context. In this skill context, external enrichment may be functionally legitimate, but there is no visible consent gate, allowlist enforcement, minimization, or redaction before transmission, so the finding is valid.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal