ClawHub

Warren Buffett Investing Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is technically low-risk but should be reviewed because it gives concrete investment advice and overstates how verified its references are.

Install only if you want an educational Buffett-style investing aid, not a financial adviser. Do not let it access brokerage, payment, crypto, or purchase tools without explicit human approval, and independently verify historical claims, quotes, and any investment suggestion before acting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The statement 'All facts verified. Sources noted.' asserts a high-trust guarantee that is not supported by inline citations and appears inconsistent with the content, which includes factual errors and speculative future claims. In an investment-framework skill, this can mislead users into overtrusting biographical and historical claims, weakening their ability to critically evaluate the material.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill gives concrete investment allocation advice ('Put 90% in a low-cost S&P 500 index fund. Put 10% in short-term government bonds') without any warning that the content is educational and not personalized financial advice. In an agent setting, users may treat this as authoritative guidance and act on it despite differences in risk tolerance, time horizon, tax situation, liquidity needs, or jurisdictional constraints.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal