ClawHub

Financial Report Tracker

Security checks across malware telemetry and agentic risk

Overview

This skill appears to fetch public earnings data and generate finance reports as advertised, but users should treat its investment recommendations and quarter-specific output cautiously.

Install only if you are comfortable with a finance-reporting tool making outbound requests for public ticker data. Treat its recommendations as informational, verify the data source and reporting period yourself, and do not rely on it alone for investment decisions, especially when using the --quarter option.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The review flow goes beyond neutral financial-report tracking and produces prescriptive investment guidance such as accumulating, waiting for pullbacks, and growth-allocation suggestions. In a finance context, presenting automated buy/avoid advice without suitability checks, disclosures, or risk controls can mislead users into acting on unvetted recommendations and creates compliance and consumer-harm risk.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The CLI advertises quarter-specific review support, but the quarter argument is never used in data retrieval or report generation. This mismatch can cause users to trust a report as quarter-scoped when it is actually generic/latest data, leading to incorrect financial interpretation and potentially harmful decisions.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation guidance is broad enough that the skill could activate for many generic finance-related requests, not just explicit earnings-tracking tasks. Over-broad triggers can cause inappropriate skill invocation, leading the agent to fetch external financial data or generate investment-oriented analysis when the user did not clearly request it, increasing the chance of unnecessary network access and misleading financial output.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal