ClawHub

A Stock Screener

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed A-share stock screening helper that uses public market data and exports a spreadsheet, but users should treat its results as incomplete research support.

Install only if you are comfortable running a Python tool that retrieves public financial data from third-party data sources and writes an Excel file. Do not rely on the generated stock list as a complete five-step risk-screened portfolio or as investment advice; verify the missing checks manually against official filings and trusted financial data before making decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script presents itself as a complete five-step quantitative stock screener, but several advertised checks are only placeholders or are explicitly skipped. In a financial decision-support skill, this can mislead users into trusting results that were not actually validated, creating a material integrity and decision-risk issue even without classic code-execution abuse.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The step1 docstring claims valuation and 30-day volume screening, but the code only filters out ST stocks and never applies the PE or volume criteria. Because this is the initial gate in a stock-selection pipeline, users may believe securities passed quantitative filters they never underwent, resulting in false confidence and potentially poor investment choices.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The step5 description promises both maximum drawdown and lockup-pressure checks, but the implementation only performs a simplified drawdown screen and omits the unlock-pressure analysis. This understates risk in the final output and can cause users to treat the screened list as safer than it really is.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation phrases are very broad (for example, generic requests to help pick A-shares or find certain stock characteristics) and do not clearly constrain when the skill should activate. In an agent environment, this can cause unintended triggering on loosely related financial conversations, leading the system to provide stock-screening outputs when the user did not explicitly request this skill or understand its assumptions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal