ClawHub

Tvscreener

Security checks across malware telemetry and agentic risk

Overview

This is a coherent TradingView screener helper; its main cautions are optional CSV exports to user-chosen paths and unpinned auto-install behavior in shell wrappers.

Install and run this in a virtual environment, review or pin the tvscreener dependency before using the shell wrappers, and choose CSV output paths deliberately so you do not overwrite important files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The script can write query results to an arbitrary local path via --csv, but the skill description emphasizes querying and does not disclose filesystem write behavior. In agent environments, undocumented file-write capability increases risk because a caller may trigger persistent local data creation or overwrite files in unexpected locations.

Missing User Warnings

Low
Confidence
88% confidence
Finding
Writing CSV output without clear disclosure or warning can surprise users and downstream agents, especially in automation contexts where local side effects are important. While this is not inherently malicious, silent file creation can contribute to data leakage, unexpected persistence, or overwriting of user files if the path is attacker-influenced.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script will automatically run `pip install -q -U tvscreener` if the import check fails, without prompting the user or constraining the version. This can modify the local Python environment unexpectedly, trigger network access and code download during a test run, and install a newer package version than intended, which increases supply-chain and reproducibility risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal