ClawHub
Back to skill

Security audit

futurespro-panda

Security checks across malware telemetry and agentic risk

Overview

This skill is a read-only futures data lookup tool, but its queries are sent to an external API and should not include private trading or account details.

Install only if you are comfortable sending futures lookup terms to the listed API or to an alternate endpoint you explicitly provide. Avoid entering account numbers, private positions, trading strategy details, or other sensitive financial information, and verify important fee or margin data with official exchange or broker sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation description is broad enough to trigger the skill for general futures-related queries, which can cause unnecessary routing of user requests to this skill and its external API. Because the skill is designed to send query data over HTTP, over-invocation increases the chance of inappropriate external data disclosure and may produce irrelevant or misleading responses outside the skill’s intended scope.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to send user-supplied query data to an external HTTP API but does not provide a user-facing disclosure or consent step. This creates a privacy and data-handling risk because users may not realize their inputs, including potentially sensitive financial interests or identifiers, are being transmitted to a third-party endpoint, especially since the base URL can be overridden by user input.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.