ClawHub

X2strategy

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent finance-research purpose, but it needs review because it can store credentials and documents, send document text to external LLM providers, run generated trading/backtest code, and includes test tooling that reads credentials from an unrelated hard-coded path.

Install only in an isolated workspace or container, avoid confidential/unpublished documents unless you accept sending excerpts to the configured LLM provider, provide API keys through a managed secret mechanism when possible, and review generated strategy code before running it. Do not run the bundled full-test script unless you intentionally want live API/network tests and have checked which credentials it will load.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (28)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill explicitly instructs the agent to read files, write to `.env` and library paths, access environment variables, and perform networked searches/API calls, yet no permissions are declared. This creates a governance and consent gap: a host system may not surface or constrain these capabilities appropriately, increasing the risk of unintended file modification, secret handling, and outbound requests.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This is a true vulnerability because the value strategy description and logic pipeline say the cheapest assets in Q5 should be long and the most expensive in Q1 should be short, but the execution plan reverses that mapping. In a skill that auto-generates executable trading code and backtests, this inconsistency can invert the strategy at execution time, producing systematically wrong trades, misleading validation, and potentially severe financial loss.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
This is a true vulnerability because the momentum pipeline emits quintile labels Q1 through Q5, but the execution plan expects different labels ('top_quintile' and 'bottom_quintile'). In this skill context, that mismatch can cause signals to be ignored, default to hold, or be misinterpreted during code generation/backtesting, leading to silent strategy failure and incorrect research conclusions.

Description-Behavior Mismatch

Low
Confidence
91% confidence
Finding
The script copies the input document into a persistent library directory and stores the document's absolute source path in metadata.json. In a research-analysis workflow, this can leak sensitive document contents and local filesystem information to other users, logs, backups, or downstream tools if the library directory is shared or exposed.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script reads API credentials from a hard-coded .env file outside the skill workspace and injects them into the test environment. This creates a credential-boundary violation: running the skill can silently consume secrets from an unrelated project and use them in downstream tests or network calls, which is risky in an agent context where users may not expect cross-project secret access.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script is described as an 'Offline full test runner' but it runs real end-to-end tests that depend on live APIs and loaded credentials. This misleading labeling can cause operators or automation to execute networked, billable, and data-exposing actions under the assumption that the script is safe for offline use.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The test fixture automatically reads a DeepSeek API key from an external .env file outside the project tree and injects it into the process environment. That behavior expands the skill's trust boundary and can cause unintended credential use whenever these tests are run in a developer environment with access to unrelated secrets.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly advertises an end-to-end pipeline that generates trading code, validates it, and runs backtests, but it does not prominently warn users that generated code and subprocess-based backtesting execute on the local system and may consume resources, access files, or perform unintended actions. In an agent-skill context, this is more dangerous because users may invoke the skill conversationally and assume the automation is safe by default, increasing the chance of unreviewed execution.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes an end-to-end flow that generates trading code, validates it, and then executes backtests, but it does not clearly warn users that generated code and subprocess-based backtests may run untrusted or LLM-produced logic. In a skill that ingests arbitrary documents and turns them into executable artifacts, this omission increases the risk that users or agents will execute unsafe code with local file, network, or API-key access.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation criteria are very broad, including essentially any finance paper or many common research requests, which raises the chance the skill is invoked in contexts where users did not intend document ingestion, code generation, or external API usage. Over-broad routing increases exposure to unnecessary file access, network calls, and accidental handling of sensitive documents.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup flow asks users to provide API keys and then persists them to `.env` for 'session stability' without prominent warning about local storage risks, file permissions, exposure to other tools, or safer secret-management alternatives. Storing secrets in workspace-accessible files can lead to credential leakage through source control mistakes, logs, backups, or other skills/tools with file-read access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly describes sending up to 100K characters of extracted paper text to an external LLM, but it does not mention privacy, confidentiality, data handling, or the fact that uploaded document contents may leave the local environment. In a research workflow, papers, drafts, internal reports, or notes may contain proprietary or unpublished material, so silent transmission to model providers creates a real data exposure risk.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The architecture states that mode selection is automatic and users should not be asked to choose, while both documented modes rely on LLM processing of extracted content. This removes an important consent and transparency checkpoint and increases the chance that sensitive document text is transmitted automatically without the user's informed approval.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document contains explicit long/short execution instructions and portfolio construction details, but it does not include any warning that generated code or backtests could be adapted for live trading and may cause financial loss if used without review. In the context of a skill whose stated purpose is to turn research into executable Backtrader code and backtests, this omission increases the risk that users treat the output as deployment-ready trading logic.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The extractor sends user-supplied paper content and derived sections to an external LLM service during multi-layer analysis, but this file shows no consent gate, redaction step, or disclosure mechanism before transmission. In a research skill, papers may include proprietary drafts, unpublished trading ideas, API keys accidentally pasted into notes, or sensitive client research, so silent exfiltration to a third-party model is a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The legacy single-call path also transmits paper methodology, signal logic, and data description to an external LLM without any visible notice or approval control in this file. Although functionally similar to the multi-layer path, the single-call mode may bundle more source content into one request, increasing exposure of confidential quant research or unpublished documents.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The wrapper sends arbitrary prompt content to a third-party LLM provider via litellm without any built-in disclosure, consent gate, redaction, or provider restriction. In this skill's context, prompts may contain unpublished finance research, proprietary reports, uploaded documents, or sensitive notes, so silent transmission off-box creates a real confidentiality and compliance risk even if this is normal product behavior rather than malicious code.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The async path has the same issue as the sync path: it forwards prompt contents to an external LLM API with no warning, policy enforcement, or sanitization. Because this skill is explicitly designed to ingest papers, DOCX reports, drafts, and notes, the risk is elevated by the likelihood of transmitting confidential or licensed material to external services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The direct extraction path formats document text into a prompt and sends it to `achat(...)`, which appears to be an external LLM call, without any indication in this file of user consent, redaction, tenant isolation, or data-handling controls. Because this skill is designed to ingest arbitrary research inputs including private PDFs, DOCX files, and notes, sensitive or proprietary document contents may be disclosed to a third-party model provider unexpectedly.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The semantic extraction path retrieves relevant chunks from the supplied document and sends those chunks to `achat(...)` for analysis, again without any visible warning or consent mechanism in this file. Retrieval narrows the context but does not eliminate exposure; highly sensitive sections are often the exact passages most likely to be retrieved and transmitted to the external model.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly instructs the agent to place a real provider API key into a local `.env` file. Storing live secrets in project files increases the chance of credential exposure through logs, accidental commits, workspace sharing, backups, or later tool access by other components. In this skill context, the risk is heightened because the agent operates over files and directories and may copy, inspect, or preserve artifacts in a library structure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly directs the agent to generate and run code that fetches market data from external services like yfinance or akshare, but it does not require notifying the user that internet access and third-party data transmission will occur. This creates a real security and privacy concern because execution may make unexpected outbound network requests, expose query contents or identifiers to external providers, and violate offline or restricted-environment expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends parsed paper content to `extract_spec(...)`, which the metadata and CLI options indicate is an LLM-backed extraction flow, but it provides no warning, consent prompt, or clear disclosure that input JSON contents may be transmitted to an external model provider. Because this skill is designed to process arbitrary research documents, reports, and notes, users may unknowingly submit confidential or proprietary material to third-party services, creating a real data exposure and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script passes the user-supplied PDF path directly into parse_pdf(), and the skill description explicitly indicates LLM-based extraction modes. In this context, document contents may be sent to external model providers without any explicit consent prompt, warning, or local-only default in this entrypoint, creating a real confidentiality and privacy risk for uploaded research papers or proprietary reports.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script loads and exports API keys from a fixed .env path without clear prior consent or a strong warning that credentials will be accessed and propagated to child processes. In practice this can lead to unintentional secret use, unexpected billing, and broader exposure of credentials to tests, plugins, subprocesses, or logs generated during execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal