ClawHub

23策略股票分析技能

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only stock-analysis skill that can give trading-style suggestions, but it does not request credentials, persist data, or execute trades.

Install only if you intentionally want technical-analysis style stock signals. Treat its output as educational research support, independently verify calculations and market data, and be especially cautious because parts of the reference implementation are placeholders while the skill describes a complete 23-indicator system.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The document presents the skill as a complete stock-analysis and decision engine, but the core indicator computation returns placeholder HOLD/0-score values with '待实现'. This is dangerous because users or downstream agents may rely on materially false outputs for financial decisions, creating a strong integrity and safety mismatch between claimed and actual behavior.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The code comments and API imply that all 23 indicator configurations are loaded, but the implementation returns only minimal placeholder configs for a few IDs. This can mislead callers into believing comprehensive coverage exists, causing incomplete or incorrect analysis paths and hidden logic gaps.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The public helper advertises returning the full indicator database, but actually returns an empty placeholder list. This creates an API contract violation that can mislead integrators, break trust assumptions, and cause downstream tooling to operate on nonexistent strategy definitions.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill advertises very broad trigger phrases such as generic stock-analysis tasks, which can cause it to activate in situations the user did not specifically intend. In an investment-oriented skill that outputs buy/sell suggestions, over-broad invocation increases the chance of accidental routing, unintended financial guidance, and misuse in contexts where a narrower or different tool should be used.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill provides concrete buy/sell conditions and trading instructions without clear financial-risk disclaimers or boundaries. In this context, actionable trading guidance can materially influence user behavior and losses, especially because the document presents the rules as systematic and authoritative.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The decision flows and quick-reference tables prescribe specific actions such as position sizing, stop-losses, reducing holdings, and full liquidation without adequate warning about financial consequences. Because the skill context is an end-user stock analysis tool, such prescriptive outputs increase the chance of harmful overreliance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal