ClawHub

Groundapi Anomaly Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a coherent market-data skill that uses a disclosed GroundAPI MCP service and API key to fetch A-share anomaly information, with no hidden code or local access.

Install this only if you trust GroundAPI and are comfortable sending relevant market-analysis requests to its MCP service. Use a revocable, limited API key where possible, and treat the generated market analysis as informational rather than investment advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill’s trigger conditions are overly broad and include an open-ended "or similar expressions" clause, which can cause the skill to activate for ordinary market-related questions the user did not intend to route through this external-tool workflow. Because the skill is connected to a remote MCP service, accidental triggering can lead to unnecessary external data access and responses shaped by the skill instead of the base assistant, creating privacy, consent, and tool-misuse risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documentation includes a remote MCP endpoint and API-key header pattern without any user-facing disclosure about what data may be sent to the external service or how credentials are handled. In practice, this can normalize sending user queries and stock-analysis context to a third party without informed consent, and the embedded header example increases the risk of unsafe copy-paste credential exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal