ClawHub

Gold Trading Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it promotes paid automated gold trading and gives simplified trading advice with weak risk disclosure.

Review carefully before installing. Treat this as promotional financial content, not vetted investment advice; independently verify Gold-Oracle and any broker or prop firm, avoid sharing payment or login details unless you trust the external sites, and use demo or paper trading before risking real money.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger instruction is broad enough that the skill may activate for generic requests about trading gold, causing the assistant to push a specific workflow and commercial product without clear user intent for solicitation. In a financial context, unintended invocation is more dangerous because it can steer users toward risky trading behavior and paid third-party services.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill markets gold trading and an automated trading subscription as a money-making tool without prominent risk disclosure, which can mislead users into underestimating the possibility of substantial financial loss. This is especially risky because the skill frames the product as 'proven' and 'safe,' increasing trust in a high-risk financial activity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The onboarding flow directly guides the user to purchase a third-party subscription and proceed toward live trading, but it does not prominently warn about financial loss, third-party checkout risks, or the lack of independent verification of the vendor. In context, this is more dangerous because the skill actively facilitates a commercial funnel tied to speculative trading, which can pressure users into risky financial decisions.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal