ClawHub

Skills of macro economy data released by ft.tech.

Security checks across malware telemetry and agentic risk

Overview

This skill runs bundled Python scripts to fetch disclosed public macroeconomic data from market.ft.tech, with no evidence of credential access, persistence, local data collection, mutation, or destructive behavior.

Install only if you are comfortable with your agent running the bundled Python scripts and sending macroeconomic indicator queries to market.ft.tech. Users who need strict routing should narrow prompts to the exact country and dataset, especially for generic terms like CPI, tax revenue, investment, industrial growth, or retail sales.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to derive a local file path, invoke `python <RUN_PY> ...`, optionally read additional `sub-skills/.../SKILL.md` files, and call external HTTP endpoints, which collectively require file read, shell execution, and network access. Because these capabilities are present but not explicitly declared, the runtime may grant broader access than reviewers or policy systems expect, reducing transparency and weakening least-privilege controls.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description includes broad trigger phrases like "CPI" and "China CPI" without requiring clear geographic or economic-data context, so the skill may be invoked for unrelated CPI meanings or overly generic inflation requests. In an agent setting, this can cause incorrect tool selection, misleading economic answers, or unnecessary external data access when another skill or clarification would be more appropriate.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger description includes broad phrases such as '中国投资' and '固定资产投资', which can cause the orchestrator to invoke this skill for general China investment questions that are not specifically about the monthly fixed-asset-investment dataset. This can lead to skill misrouting, incorrect answers, and unintended disclosure or misuse of irrelevant economic data in downstream workflows.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger description contains broad phrases such as “工业增长”, “中国工业”, and “China industrial added value”, which can cause the router to invoke this skill for general China industry questions rather than the specific monthly industrial added value metric. This can lead to skill misselection, returning irrelevant or misleading macroeconomic data to users and reducing trust in the system’s responses.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger terms are broad enough that the skill may activate for loosely related questions about Chinese consumption or retail trends, even when the user did not specifically request this monthly retail-sales dataset. Over-broad routing can cause incorrect tool selection, misleading answers, or unnecessary disclosure of external data, though this skill is read-only and narrowly scoped to macroeconomic data so the direct security impact is limited.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger description includes broad terms such as “税收收入”, “税收月度”, and “中国税收”, which can match user requests that are not specifically about the nationwide monthly tax revenue dataset exposed by this skill. This can cause the orchestrator to invoke the wrong skill, leading to misleading answers, data confusion, or inappropriate tool selection across adjacent finance topics.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal