ClawHub

Xiaodi Financial Team

Security checks across malware telemetry and agentic risk

Overview

This is mostly a disclosed financial-analysis skill, but it requests broad command execution and memory use around sensitive portfolio and trading data without enough limits.

Install only if you are comfortable with a finance skill using memory for holdings or trading history and with its broad exec permission. Prefer disabling or tightly restricting exec, do not share brokerage credentials or private account documents, verify financial recommendations independently, and review any added stock_analysis.py or other executable file before allowing it to run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The manifest requests the `exec` capability even though the stated purpose is financial analysis, which can typically be fulfilled with search, fetch, and memory tools. Granting shell or process execution to a finance-oriented skill materially increases the attack surface: if the skill prompt or downstream logic is compromised, it could run arbitrary commands, access local files, or stage further abuse on the host environment.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The prompt authorizes analysis of customer historical trading records and detection of abnormal operations without clear necessity, consent, or privacy constraints. In a financial context, this expands the skill into customer surveillance and potentially sensitive behavioral profiling, which can expose private financial data and enable misuse or over-collection.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Granting the business-opportunity analyst the 'exec' capability introduces arbitrary code/script execution into a financial-analysis agent that also consumes external market and news data. In this context, prompt injection, malicious data, or logic flaws could cause unintended command execution, local file access, persistence, or lateral actions beyond the stated need of technical analysis.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is instructed to provide direct buy/sell/hold and position-sizing advice but does not prominently warn that outputs are not professional investment advice or require users to assess suitability and risk. In a financial-advice setting, this can drive harmful user actions, create compliance exposure, and increase the chance of users over-trusting speculative recommendations.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The activation rule '当用户询问持仓分析时,启动协作模式' is broad and underspecified, so the skill may trigger on loosely related portfolio questions without clear boundaries, consent, or suitability checks. In a financial-advice context, ambiguous activation increases the chance of unsolicited analysis, over-collection of market data, or generation of investment guidance when the user's intent is informational rather than advisory.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide instructs retrieval of live financial data from third-party endpoints but does not disclose network access, data sharing implications, or source-trust limitations. In a financial workflow, silent external calls can expose user interest/behavior patterns, create integrity risks if sources are spoofed or stale, and reduce transparency around how recommendations are generated.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal