ClawHub

China Stock Analysis

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only stock analysis skill with some scope and language clarity issues, but no hidden code, credential use, persistence, or destructive behavior.

Install this only if you want an agent to help analyze stocks using public web data. Treat any buy, hold, or sell output as informational, not financial advice, and be aware the skill may also handle US tickers despite being branded for Chinese stocks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says it is for Chinese stock analysis, but the body explicitly adds US ticker support. This scope mismatch can cause the agent to activate in contexts the user or platform did not intend, leading to incorrect tool routing, policy bypass of market-specific constraints, and misleading expectations about the skill’s capabilities.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation text is broad enough to trigger on general stock-analysis requests, despite the skill being branded for Chinese companies. Overbroad invocation increases the chance the agent selects this skill for unrelated finance queries, producing out-of-scope recommendations or bypassing more appropriate domain-specific skills and safeguards.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The prescribed response template is entirely in Chinese and appears mandatory, regardless of the user’s language. This can degrade transparency and user comprehension, especially for non-Chinese-speaking users, increasing the risk of misunderstood financial analysis or recommendations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal