ClawHub

模拟交易系统

Security checks across malware telemetry and agentic risk

Overview

This is a coherent paper-trading skill, but it deserves review because it reads an API key from a shell profile, sends portfolio symbols to Eastmoney by default, and can hard-delete local simulation data without confirmation.

Install only if you are comfortable with a local simulated-trading database and default Eastmoney quote lookups. Prefer passing EM_API_KEY only for the specific run instead of storing it in ~/.bashrc, use --no-refresh when portfolio symbols should stay local, and treat delete commands as permanent unless you have backed up the database.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script expands its credential access surface by reading EM_API_KEY not only from the process environment but also directly from the user's ~/.bashrc. That behavior reaches into unrelated shell configuration and implicitly harvests secrets without clear user consent, which is unnecessary for a trading refresh operation and increases the chance of unintended credential exposure or misuse.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger text is broad enough to match many ordinary investing or portfolio questions, which could cause the skill to activate for analysis-only requests and then perform stateful or networked actions. In a trading-context skill, overbroad invocation increases the chance of unintended order placement, data mutation, or external data fetches.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation exposes portfolio deletion without any confirmation, backup, or warning about irreversibility. In a stateful trading simulator, accidental deletion can destroy account history, holdings, and performance records, making recovery difficult or impossible.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Deleting market data is documented as a simple operation without warning that downstream order execution, matching, and valuation depend on those records. Users or agents may unknowingly break trading workflows or distort NAV/performance calculations by removing required price data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that portfolio and performance commands automatically fetch live prices from Eastmoney by default, but does not clearly warn that holdings symbols and related query metadata will be transmitted to a third party. This is a privacy and data-governance issue, especially for sensitive or proprietary watchlists and strategies.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation recommends storing an API key in shell startup files and auto-reading it, but gives no warning about credential leakage through shared accounts, shell history, backups, or overly broad environment inheritance. This encourages weak secret-handling practices that can expose the market-data credential to other processes or users.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Reading a credential from ~/.bashrc occurs silently and without any user-facing disclosure, so users may not realize the skill is accessing shell startup files to obtain secrets. In an agent context, this is sensitive because it normalizes hidden credential collection beyond the minimum needed scope and can violate user expectations and least-privilege principles.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code sends queried symbols to Eastmoney external services to retrieve prices, but there is no visible disclosure or consent flow informing the user that portfolio holdings or requested tickers will leave the local system. In a trading skill this data sharing is functionally related, but portfolio composition can still be sensitive financial information, so silent transmission creates a privacy risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal