ClawHub

Skill

Security checks across malware telemetry and agentic risk

Overview

InvestorClaw is mostly a legitimate local portfolio-analysis service, but it also persists financial context and provider keys through local web/MCP surfaces with some under-scoped disclosure and hardening gaps.

Install only on a personal machine or a tightly controlled localhost environment. Review the Docker Compose file, keep ports 18090 and 18092 bound to loopback, avoid exposing the dashboard remotely without authentication, understand that LLM narration can send portfolio-derived summaries to configured providers, and treat Mnemos memory/response history as sensitive financial data that may need deletion or opt-out controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (60)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The privacy claims understate external data exposure by asserting that only ticker symbols are sent to cloud providers, while other documented features rely on optional LLM synthesis providers and third-party news/analyst services. Misleading data-flow documentation can cause users to trust the system with sensitive portfolio data under false assumptions, increasing the risk of unintended disclosure.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The proposed one-click capability to write agent configuration files can persist trust relationships and alter how the user's agent loads external MCP services. If implemented without strict confirmation, path validation, and transparent diff review, it could silently change client behavior and create a durable foothold for a service endpoint.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented tool surface includes operational capabilities beyond analysis, especially key management and initialization/control operations. This is a security concern because a user expecting analytics may unknowingly authorize sensitive mutations such as secret storage and service reconfiguration.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill is presented as educational analysis, yet it also acts as a response-management system with retrieval, deletion, and bad-response flagging. Retaining and managing prior responses can create privacy and integrity risks, especially when responses may include sensitive portfolio-derived summaries.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Direct API-key ingestion and persistence is a sensitive capability that goes beyond pure portfolio analysis and creates a clear secret-handling surface. If misused or compromised, the skill can collect, store, and later use provider credentials, which expands blast radius from local analytics to third-party account abuse and billing exposure.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation describes an LLM-backed narration path that expands the skill from deterministic local analysis into externally mediated generative output. That matters because it changes the trust boundary, introduces nondeterministic behavior, and may expose portfolio-derived data to third-party services in ways a user of the base analyzer may not expect.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The docs claim the mode is educational/entertainment-only and avoids specific recommendations, yet the example uses directional language like 'Time to rebalance' and 'LET'S GO LONG!'. This inconsistency can mislead users into treating generated output as actionable financial advice, increasing compliance, trust, and user-harm risk.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill is presented as a portfolio analyzer, but it also exposes a general-purpose memory subsystem that stores and retrieves user observations. That is a material expansion of data handling and retention behavior, especially for sensitive financial context, and users may not reasonably expect it from the manifest description alone.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The install guide instructs users to add and run a second MCP service, 'mnemos', that provides long-term memory functionality beyond the declared portfolio-analysis purpose. This expands the skill's capability and data retention surface without clear scope disclosure, increasing the chance that sensitive financial context or user prompts are stored persistently.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The example prompt explicitly advertises writing user information to mnemos ('Remember that I'm planning to retire in 2030') even though the skill is presented as a deterministic portfolio analyzer. That mismatch can mislead users about where personal financial planning data goes and whether it is retained beyond the immediate session.

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
The install guide expands the skill’s apparent scope from portfolio analysis into broker-document ingestion and optional external API/news connectivity without clearly surfacing those data flows up front. That creates a real transparency and consent problem because users may provide sensitive financial documents expecting only local portfolio calculations, while the service may process broader data and potentially transmit it to configured third parties.

Description-Behavior Mismatch

Low
Confidence
71% confidence
Finding
The installation doc introduces a dashboard/web UI service that is not reflected in the skill description, which means operators may expose and trust an additional attack surface they were not expecting. Even if the dashboard is legitimate, undisclosed services reduce informed consent and can hide reachable interfaces for file upload, configuration, or future abuse.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is presented as a portfolio-analysis capability, but it also exposes a persistent memory subsystem that stores user preferences and investing context. That materially expands the data-handling scope beyond the stated core function and can lead to collection and retention of sensitive financial-profile information without sufficiently prominent disclosure.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The 'does NOT do' section claims a narrow, educational-only scope, but earlier sections describe recording persistent observations and user preferences via memory tools. This contradiction can mislead users about data retention and privacy impact, reducing informed consent around storage of sensitive investing context.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill metadata presents a local portfolio-analysis capability, but the body documents an additional `mnemos` memory/knowledge-graph service. That scope expansion matters because agents or users may trust the manifest as a complete description, while the skill actually enables persistence and retrieval of investing context outside the narrowly described analyzer role.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documented memory create/search functions are not necessary for a deterministic portfolio analyzer and introduce persistent storage of sensitive financial context. Even if stored locally, this increases privacy and data-minimization risk because portfolio preferences, account context, and prior discussions can accumulate without being clearly scoped in the manifest.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly encourages storing user preferences and investing context in persistent memory, which exceeds the stated analytics-only scope and can capture highly sensitive financial intent. This is dangerous because such preferences may later influence responses or be surfaced unexpectedly, creating privacy, profiling, and consent issues.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill describes use of external AI providers for consultation and narration, which is materially different from the manifest's localhost MCP-HTTP framing. This creates a real data-transmission risk because portfolio-derived content may be sent to third-party APIs, potentially exposing sensitive financial information beyond the user's machine.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The remote market-data provider chain and Yahoo Finance fallback broaden the system's external dependencies beyond the simpler local analyzer description. While fetching market data is expected for this domain, the incomplete disclosure can still mislead users about network activity and external data sharing.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This module implements backup/restore for memories, provider configuration, MCP settings, and API-key references in addition to portfolio data, which expands the skill's data access and persistence surface beyond its stated portfolio-analysis purpose. Even though it stores only key references rather than raw secrets, exporting/importing operational configuration and user memory can expose sensitive internal state and create an unnecessary capability for data exfiltration or unintended persistence.

Context-Inappropriate Capability

Low
Confidence
79% confidence
Finding
The export path includes host-identifying metadata by default via hostname collection, which can disclose internal machine naming conventions or environment details unrelated to portfolio analysis. While low severity on its own, this creates avoidable privacy and reconnaissance leakage when bundles are shared, backed up externally, or imported into other environments.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The dashboard includes a web UI for accepting and persisting secrets, but this file shows no authentication or authorization checks around the route. In a dashboard serving on a network port, an exposed or misrouted instance could let unauthorized users overwrite provider credentials, disrupt service, or inject attacker-controlled API keys for downstream data exfiltration through third-party providers.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code exposes a file-upload route that writes user-supplied content to disk and then triggers background processing, yet no authentication, authorization, size limits, or content validation are present here. If the dashboard is reachable by an attacker, they can plant arbitrary files in the portfolio directory, consume disk, and potentially influence later parsing pipelines that handle complex formats like PDF/XLSX/JSON.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This file adds agent-facing secret-management capabilities, including prompting for API keys, persisting them to `/data/keys.env`, and injecting them into the running process environment. That is materially broader than a portfolio-analysis skill description and increases the attack surface by enabling an agent to request, store, and modify long-lived credentials.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The tool exposes persistent secret-setting and deletion operations through agent-callable handlers (`portfolio_keys_set` and `portfolio_keys_delete`). In the context of a portfolio-analysis skill, this is dangerous because a compromised or over-permissioned agent can alter service credentials, disrupt downstream data sources, or trick users into supplying secrets unrelated to the stated purpose.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal