ClawHub

Finage

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Finage market-data connector that uses the OOMOL oo CLI and does not include hidden code, persistence, or destructive behavior.

Install only if you are comfortable using OOMOL as the intermediary for your Finage account and API-key connection. Treat the listed actions as read-only market-data actions, and require explicit confirmation before allowing any Finage create, update, post, send, delete, or remove operation outside the documented action list.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The action is described as a read-only market data query ('get the previous close aggregate bar') but the file explicitly labels it as a write action that changes Finage state and instructs the operator to confirm payload and intended effect. This mismatch can mislead an agent into applying the wrong safety policy, causing unnecessary friction at best and unsafe handling assumptions at worst if similar mislabeling appears elsewhere in the skill.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The description says to use this skill for ANY Finage request and instead of calling the API directly, which is an overly broad routing trigger. That can cause the agent to invoke this skill for unrelated or higher-risk Finage tasks without sufficient narrowing, increasing the chance of unintended tool use and bypassing more context-appropriate safeguards.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal