ClawHub

portfolio-diagnosis (Public)

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Prana remote-wrapper skill for portfolio analysis, but users should know their portfolio prompts are sent to a Prana service.

Install only if you are comfortable sending portfolio details, cost basis, positions, and related prompts to the configured Prana service. Use a dedicated or revocable Prana API key, keep config/api_key files out of public repositories, and redact sensitive holdings when privacy or compliance matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill metadata claims a simple portfolio-diagnosis function, but the detected capabilities include environment access, file reads, and network access without any declared permissions or user-visible disclosure. That creates a hidden trust boundary: the skill may access credentials/configuration and exfiltrate user data or send portfolio contents to external services without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a significant description-behavior mismatch: the skill presents itself as a Tushare-driven local analysis tool, but apparently proxies requests to remote Prana/Claw APIs, reads local metadata, and uses credentials from environment variables or config files. Users may provide sensitive financial holdings believing analysis is local, while in reality portfolio data and possibly secrets are involved in undisclosed remote execution.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file is not implementing the advertised Tushare-based portfolio diagnosis locally; instead, it is a thin wrapper that forwards user input to a remote Prana service. This is dangerous because the published skill description materially misrepresents where processing occurs, preventing users and reviewers from assessing what code actually runs and what external systems receive sensitive portfolio data.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This code path is centered on loading API credentials and preparing remote execution, not on performing the claimed financial analysis. That mismatch increases supply-chain and privacy risk because users may believe they are running a bounded analytics skill while actually granting a generic remote service access to messages, credentials, and execution context.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The invoke path accepts arbitrary message content, thread identifiers, request identifiers, and a skill key loaded from metadata, then forwards them to a generic agent-run endpoint. This creates a broader remote skill-execution capability than the portfolio-diagnosis description suggests, which can be abused to run unintended remote actions or exfiltrate sensitive user content under the guise of a finance tool.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script transmits user messages and thread IDs to an external Prana service, but this file contains no user-facing disclosure, consent prompt, or data-minimization control. In the context of a portfolio diagnosis skill, those messages may contain holdings, account details, and investment history, making undisclosed transmission a meaningful privacy and compliance risk.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are broad natural-language requests such as '看看我的股票组合' and '帮我分析一下我买的股票', which can easily match ordinary conversation and cause unintended invocation. In a skill with network and filesystem permissions, accidental activation increases the chance of unnecessary data access, external API calls, and exposure of sensitive portfolio-related information.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal