ClawHub

指数通 (Index Expert)

Security checks across malware telemetry and agentic risk

Overview

This is a coherent index-investing assistant, but it persistently stores financial preference profiles and self-updates its own guidance without clear user-facing consent.

Install only if you are comfortable with the skill saving your risk preference, investment horizon, focus areas, corrections, and feature requests in local skill files for future sessions. Avoid sharing personal holdings, account details, or other sensitive financial information, and review or clear the profile and memory files if you do not want personalization to persist.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill instructs persistent writes to user profile and learning-related files across conversations, which exceeds a simple index-analysis assistant's stated purpose and creates unnecessary data retention. This broadens the skill from analysis into behavioral tracking, increasing privacy risk and the chance that sensitive user preferences or conversation content are stored and later disclosed or misused.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The self-modifying reflection workflow directs the agent to append logs and rewrite internal guidance files, effectively allowing conversation content to alter future system behavior. This creates prompt-persistence and policy-drift risk: malicious or misleading user input could be laundered into memory/routing files and influence subsequent sessions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill mandates automatic collection and persistence of user risk preference and holding-period information before proceeding, without clear necessity for basic index/news analysis. Even if financially relevant, forced profiling and cross-session retention increase privacy exposure and can lead to overcollection of sensitive preference data.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The instruction to rewrite internal guidance files during reflection mode gives the skill a persistent self-alteration capability unrelated to ordinary index analysis. In practice this can let adversarial users poison future behavior, degrade safety controls, or create hidden state changes that are hard to audit.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The write trigger is defined with broad natural-language cues such as user corrections or any 'new cognition worth remembering,' which can cause the agent to persist data without clear, bounded user consent. In a memory-like file, this creates a real risk of storing unintended, sensitive, or attacker-induced content that may influence later behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file explicitly instructs append-write behavior but does not require notifying the user that persistent stored data will be modified. This is dangerous because users may provide corrective feedback in conversation without realizing it will be retained, potentially leading to privacy issues, silent state manipulation, and long-term prompt poisoning through stored entries.

Ssd 3

Medium
Confidence
94% confidence
Finding
Persistent collection of user profile data across conversations creates a semantic data-retention risk because free-form preferences and inferred traits can accumulate over time. In a finance context, risk tolerance and investment horizon may be sensitive personal information, and storing them in natural-language files increases leakage and secondary-use risk.

Ssd 3

Medium
Confidence
96% confidence
Finding
Appending conversation-derived logs such as user corrections, errors, and feature requests into internal files creates a durable channel for sensitive or adversarial content to persist. Because these logs can later influence behavior or be exposed to other sessions, they increase both privacy leakage and memory-poisoning risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal