ClawHub

M估值法

Security checks across malware telemetry and agentic risk

Overview

This stock-valuation skill is mostly purpose-focused, but it needs review because it embeds third-party API credentials and relies on external services/helpers in ways users cannot easily control.

Review before installing. The valuation workflow is recognizable, but users should only run it if they accept outbound financial lookups and the publisher replaces embedded API tokens with user-provided configuration, documents the external helper dependency, and removes or clearly labels placeholder financial inputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

High
Confidence
99% confidence
Finding
A live-looking Tavily API key is hard-coded directly into the script and exported into the process environment. Anyone with code access can reuse the credential for unauthorized API calls, incur cost, and potentially access associated account data or telemetry.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends stock identifiers and user-supplied names to an external search helper/service without explicit user notice or consent. In an agent-skill context, silent outbound transmission is a real privacy and data-governance risk because users may assume analysis is local.

Missing User Warnings

High
Confidence
99% confidence
Finding
A Tushare API token is embedded in code, exposing a reusable credential to anyone who can read the file. Hard-coded service tokens are routinely harvested, abused for quota theft, and can facilitate broader account compromise depending on provider controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal