ClawHub

gold-radar

Security checks across malware telemetry and agentic risk

Overview

This is a coherent gold-market analysis skill with financial-advice risk, but it does not show hidden execution, credential access, persistence, or malicious behavior.

Install only if you want gold-specific market monitoring and analysis. Treat all trading signals, price ranges, stop-loss rules, and allocation suggestions as general information, not personalized financial advice. Do not put brokerage credentials, account numbers, or private financial records in config.json, and verify market data independently before making any trade.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description uses very broad trigger criteria such as general gold prices, investment analysis, market trends, trading signals, and portfolio management. This can cause unintended activation on loosely related financial queries, leading the agent to provide high-risk trading guidance when the user may not have explicitly requested this skill or decision support.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation examples are ambiguously scoped, including broad prompts like wanting investment analysis, trading advice, market briefings, alerts, and portfolio tracking. In a financial skill, ambiguous activation is more dangerous because it may insert tailored investment recommendations into conversations that are only informational, increasing the chance of inappropriate or unauthorized financial guidance.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The top-level description contains broad activation phrases such as general gold investment analysis, trading signals, market outlook, and portfolio management. This can cause the skill to activate for loosely related finance queries and steer users into specialized financial guidance without clear scope boundaries, increasing the chance of inappropriate or overconfident advice.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The usage section lists multiple ambiguous activation conditions like asking for investment analysis, trading advice, market briefings, and portfolio tracking, but does not define boundaries for when the skill should not be used. In practice, this can lead to unintended invocation on adjacent financial topics and produce actionable financial guidance in contexts where the user did not clearly request it.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill is designed to provide investment analysis, trading advice, and buy/sell-style recommendations without any suitability, risk-tolerance, jurisdiction, or user-preference gating. Because this is a financial decision-support skill, the lack of checks makes the behavior more dangerous: users may receive personalized-sounding trading guidance that they are not equipped to evaluate safely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file gives specific buy/sell conditions, price ranges, position sizing, stop-loss rules, and portfolio allocation guidance that a user could reasonably treat as actionable financial advice. In the context of an investment-monitoring skill, this is more dangerous because the content is directly aligned with real trading decisions, yet it lacks any warning that the guidance is generalized, may be outdated, and is not personalized to the user's risk tolerance or financial situation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal