ClawHub

Currency Forecast Pro

Security checks across malware telemetry and agentic risk

Overview

This skill performs purpose-aligned currency-rate analysis using public exchange-rate data and optional market research, with no evidence of credential access, persistence, or destructive behavior.

Install only if you are comfortable with the agent sending currency pairs and market-research queries to external public data/search services. Avoid including private financial details in prompts, and treat the forecasts as informational analysis rather than financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill explicitly states it uses `exec` for API calls and `web_search` for market research, yet the metadata declares no required environment or permissions. This creates a capability/permission mismatch that can hide external network use from reviewers and users, reducing transparency and weakening policy enforcement around outbound access.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The invocation examples are very broad natural-language requests such as 'Forecast USD/EUR exchange rate' and 'Compare USD/CNY and EUR/USD forecasts' without clear trigger boundaries or exclusions. Broad matching can cause the skill to activate in unintended contexts, leading to unnecessary external lookups or execution of analysis behavior when the user did not explicitly mean to invoke this skill.

Missing User Warnings

Low
Confidence
88% confidence
Finding
Although the skill later mentions Frankfurter API and web search as data sources, the main description and usage sections do not clearly warn users that external web/API lookups will occur. This weakens informed consent and can surprise users or operators in environments where outbound requests, data handling, or privacy expectations are tightly controlled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal