ClawHub

量化交易信号

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed market-analysis script, but users should treat its trading suggestions as informational only.

Install it in a Python virtual environment instead of using --break-system-packages. Do not treat the generated signals as personalized financial advice or automatic trading instructions, and verify any investment decision independently.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script produces explicit trading-oriented recommendations such as '关注买入机会', '可以适当关注', and '建议观望或减仓' without any disclaimer, suitability warning, or statement that the output is informational only. In a trading-signals skill, this context makes the issue more dangerous because users are likely to rely on the output for real financial decisions, increasing the risk of loss or misuse as unlicensed investment advice.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal