ClawHub

Quant Orchestrator (Free)

Security checks across malware telemetry and agentic risk

Overview

This quant research skill is partly coherent, but it includes payment code that can charge an external billing account despite “Free” metadata.

Treat this as a paid or freemium skill, not a purely free quant tool. Do not run skill_with_billing.py or provide a user_id unless you intend to use SkillPay and accept a possible charge. Install it only in an isolated environment, rotate/remove the embedded billing key before any trusted deployment, and treat the trading metrics as simulated unless independently verified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises install and usage steps that enable network access, shell execution, and local file writes, but it declares no permissions or trust boundaries. That gap is dangerous because users and platforms cannot make informed consent decisions, and the skill's quant-research context does not inherently require undisclosed billing/network behavior or report writing side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is quant research/backtesting, but the skill also appears to perform billing operations, communicate with a third-party payment service, write local reports, and reportedly includes hardcoded billing credentials. This mismatch is dangerous because users may invoke a research tool without realizing it can charge accounts, exfiltrate data to external services, or expose embedded secrets, making abuse and unauthorized transactions more likely.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file adds billing and payment collection behavior to a skill described as a quant-analysis system, which is a strong scope mismatch and increases the chance of covert monetization or unauthorized charging. The code can automatically initiate charges and generate payment links, introducing financial-risk functionality unrelated to the stated purpose.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill performs external payment processing by sending user identifiers and charge requests to a third-party billing endpoint without any clear connection to quant-analysis functionality. In this context, the capability is dangerous because it enables monetization and financial side effects from a component users would reasonably expect to only analyze or backtest strategies.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
A live-looking API key is hardcoded directly in source, exposing a sensitive credential to anyone with file access and enabling unauthorized use of the billing account. Because the credential governs financial operations, compromise could lead to fraudulent charges, abuse of the payment API, or account takeover of billing functions.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill adds payment enforcement inside the core execution path even though the stated purpose is quant orchestration, not billing. This hidden monetization changes user expectations and can gate functionality or trigger financial workflows without clear disclosure, which is especially risky in an agent skill that may be invoked programmatically.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Importing and enabling a billing capability that is unrelated to the advertised quant-analysis purpose violates least privilege and expands the attack surface. A skill that can charge or initiate payment flows may be abused for unauthorized monetization or deceptive access control if users and integrators do not expect financial operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The charge and payment-link requests transmit user identifiers to an external billing service without any visible user-facing disclosure, consent, or privacy notice in this code path. Even if only a user ID is sent, this is still external data sharing tied to payment operations and may violate user expectations or privacy requirements.

Missing User Warnings

High
Confidence
98% confidence
Finding
The check_and_charge function attempts to charge the user automatically as part of normal execution, with no confirmation dialog, authorization token from the user, or explicit notice at the time of charge. This creates a direct risk of unauthorized billing and is especially concerning in a skill whose stated purpose does not imply payment execution.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill writes a report file to disk automatically without informing the user or requesting consent. In an agent setting, unexpected filesystem writes can violate user expectations, overwrite existing files, or leave sensitive strategy/task content persisted on disk where other processes or users may access it.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code passes user_id into billing logic without any visible disclosure, consent, or explanation of how that identifier is used or transmitted. In agent environments, undisclosed sharing of billing-related identifiers can expose personal or account-linked data and create privacy and compliance issues.

External Transmission

Medium
Category
Data Exfiltration
Content
def charge_user(user_id: str) -> dict:
    """Charge user for skill usage"""
    try:
        response = requests.post(
            f"{BILLING_URL}/charge",
            json={
                "user_id": user_id,
Confidence
87% confidence
Finding
requests.post( f"{BILLING_URL}/charge", json=

External Transmission

Medium
Category
Data Exfiltration
Content
def get_payment_link(user_id: str, amount: float = 10) -> str:
    """Get payment link for user"""
    try:
        response = requests.post(
            f"{BILLING_URL}/payment-link",
            json={
                "user_id": user_id,
Confidence
84% confidence
Finding
requests.post( f"{BILLING_URL}/payment-link", json=

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal