ClawHub

Tech Earnings Deep Dive

Security checks across malware telemetry and agentic risk

Overview

This is a Markdown-only tech earnings analysis skill with disclosed financial research behavior and no evidence of hidden code, credential access, persistence, or trade execution.

Install only if you want a public-information tech-stock earnings research assistant. Verify primary sources and assumptions yourself, and do not treat its Action Price, position sizing, or buy/sell/hold framing as personalized financial advice or authority to trade.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README defines activation in very broad terms for essentially any tech-company earnings query, without hard boundaries, exclusions, or disambiguation rules. In a skill-routing system, this can cause over-triggering and prompt collision, leading the agent to invoke this skill in contexts where a narrower or safer skill would be more appropriate.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The use-case table states these prompts 'will trigger' the skill, but many examples are broad natural-language requests that could appear in ordinary discussion. This ambiguity increases the chance of unintended activation, which can override user intent, produce irrelevant output, or interfere with other skills competing for the same query.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Saying the skill activates on 'related topics' without defining that term leaves routing behavior underspecified and easy to over-broaden. In practice, undefined relevance language can make activation unpredictable, causing accidental invocation during generic company discussions rather than intentional earnings analysis.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The English section repeats the same broad auto-activation claim for tech-company earnings questions without precise constraints. Duplicating the ambiguity across languages increases the operational risk that integrators or users interpret the trigger as universally applicable, amplifying unintended routing behavior.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The English examples are framed as prompts that 'will trigger' the skill, yet several are broad portfolio or valuation questions common in normal conversation. This can create trigger collisions and encourage the skill to capture general investing queries beyond its intended earnings-deep-dive scope.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Using the undefined phrase 'relevant topics' in the English usage section leaves activation scope open-ended. Open-ended routing language is risky because it can silently expand the skill's authority, causing unexpected activation and reducing predictability in multi-skill environments.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill description uses very broad trigger phrases like generic earnings-analysis and buy/hold questions, plus explicit instructions that it 'must' be used even for vague prompts. This can cause over-invocation, routing ordinary finance questions into a heavyweight prescriptive workflow, increasing the chance of irrelevant skill activation and reducing user-intent fidelity.

Natural-Language Policy Violations

High
Confidence
93% confidence
Finding
The skill is authored entirely in Chinese and instructs a fixed Chinese response style without offering user language choice or documenting a locale-only restriction. If invoked for users asking in other languages, it can override user preference, degrade comprehension, and cause unsafe miscommunication in a high-stakes financial-analysis context where nuance matters.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal