ClawHub

scanner

Security checks across malware telemetry and agentic risk

Overview

This is a coherent stock-scanning skill, but users should confirm paths and use an isolated Python environment before running it.

Install only if you want the skill to read your watchlist CSV, send ticker queries to TradingView, and create report/cache files in your Obsidian vault. Before running it, confirm the CSV and output paths, avoid storing sensitive portfolio amounts in the watchlist, use a virtual environment instead of --break-system-packages, and only add the cron job if you intentionally want automatic daily scans.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases extend beyond a narrow command list to broad requests like batch technical analysis or TradingView data scans. Over-broad activation can cause the skill to run in situations the user did not intend, potentially leading to unnecessary local file reads, network access, or report generation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The description states that generated reports will be written back into the user's Obsidian vault, but it does not prominently warn that local files will be created or modified. In a skill that operates on personal local notes, silent write behavior increases the risk of surprising file changes, overwrites, or placement in unintended directories.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup step recommends 'pip install ... --break-system-packages', which can alter the user's system Python environment and bypass package-management safeguards. Without warning or isolation guidance, this may destabilize the host environment or introduce dependency conflicts beyond the skill itself.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal