ClawHub

Abs Cashflow Modeling

Security checks across malware telemetry and agentic risk

Overview

This skill is labeled as ABS cash-flow modeling, but its instructions also direct agents into stock/crypto quant backtesting, broker/provider setup, and persistent skill-file creation.

Review before installing. Use only in an isolated, offline/backtest environment unless you explicitly intend ZVT market-data and trading workflows. Do not provide broker or paid-provider credentials, and do not allow automatic saved-skill creation unless that persistence is wanted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (18)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill is presented as ABS cashflow and tranche-risk modeling, but the embedded pipeline and execution guidance pivot into equity/crypto data collection, factor computation, backtesting, and trading execution. This kind of capability drift can cause an agent to perform actions outside the user’s expected scope, including invoking market/trading workflows when the user intended only structured finance analysis.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The semantic locks enforce trading-system invariants such as sell-before-buy ordering, next-bar execution, entity ID formats, and MACD parameter locks, none of which belong to ABS cashflow modeling. Embedding unrelated execution constraints in a finance-modeling skill materially increases the risk that an orchestration system routes requests into trading logic or treats the skill as authorized for order-generation behavior.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest advertises a narrow financial-modeling purpose, but the documented behavior later expands into securities trading and backtesting functionality. This is a classic scope-deception problem: system operators or users may approve the skill based on the benign manifest while the effective behavior grants broader and riskier capabilities.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documentation explicitly introduces algorithmic-trading and technical-analysis options such as MACD, MA crossover, volume breakout, provider selection, and target stock/entity identifiers. These capabilities are unjustified for ABS cashflow modeling and could lead an agent to collect market data, generate signals, or prepare execution-oriented outputs outside the intended domain.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The human summary materially conflicts with the declared skill purpose: instead of ABS cashflow modeling, it advertises a broad ZVT quant trading/backtesting assistant for A-share, HK, and crypto. This kind of skill-identity mismatch is dangerous because it can cause the agent to invoke or route to the wrong capability, potentially expanding scope into unintended financial analysis and code generation behaviors.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The tagline and use cases actively position the skill as a quant trading assistant, not an ABS structuring/modeling tool. That is more than a documentation typo: it can mislead users and orchestrators into granting the skill requests outside its declared domain, increasing the risk of inappropriate tool use, confused-deputy behavior, and execution of financial workflows unrelated to the intended ABS function.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The lock rules and preconditions are clearly for equity trading/backtesting, not ABS cashflow modeling as declared by the skill metadata. This creates a capability/context mismatch that can mislead an agent into invoking unrelated market-trading workflows, dependencies, and assumptions, expanding the skill’s effective attack surface and enabling unintended actions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The documentation embeds stock trading strategy semantics such as sell/buy execution ordering, MACD parameters, transaction costs, and T+1 equity rules, none of which are justified by an ABS cashflow modeling skill. In an agent setting, such hidden or mismatched operational instructions can steer execution toward unauthorized financial trading behavior or cause downstream components to load and act on irrelevant trading logic.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The preconditions require installation and use of zvt, access to equity market data, and execution of a recorder to fetch stock kdata, which is unrelated to ABS cashflow analysis. This can induce unnecessary external connectivity, data acquisition, and code execution paths, increasing operational risk and potentially causing an agent to perform actions outside the user’s expected scope.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The seed is materially inconsistent with the advertised skill purpose: it claims ABS cashflow modeling but embeds a ZVT stock-trading/backtest workflow, including data fetch, trading execution, and result validation logic. This creates a severe capability-confusion risk where a user invoking a finance-structuring skill could unintentionally trigger unrelated market-data collection, strategy execution, or file-writing behaviors outside expected scope.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The user-facing sections actively advertise A-share quant strategy building and ZVT backtesting, directly contradicting the stated ABS modeling purpose. Misleading operational documentation is dangerous because it drives users to provide inputs and confirmations for a different execution path than intended, increasing the chance of unintended actions and trust-boundary violations.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The seed includes stock-trading/backtesting capabilities, market-specific preconditions, and trading-oriented execution controls that are unjustified for an ABS cashflow-modeling skill. In this context, the extra capabilities expand the operational surface unnecessarily and can cause users or host agents to install packages, fetch data, and prepare execution environments unrelated to the declared task.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The execute trigger activates when intent roughly matches listed terms plus a generic action verb like run, execute, fetch, collect, 跑, or 执行. Because the scope is broad and weakly bounded, normal user language could unintentionally invoke this skill, especially in a multi-skill environment where routing depends on keyword matching.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Several triggers, including terms like basic deal, ABS, mortgage pool, ARM, and step-up, are broad enough to overlap with ordinary financial discussion or unrelated contexts. In an agent router, such generic phrases can cause accidental selection of the wrong skill, which is more dangerous here because the skill body contains unrelated trading/execution behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation text is overly broad ('Just tell me what you want; I'll write the code') and overlaps with common user requests, which makes accidental or excessive invocation more likely. In the context of a mislabeled financial skill, this broad language compounds risk by encouraging general-purpose code generation and strategy assistance beyond the declared ABS cashflow scope.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The execute trigger fires when broad verbs like 'run' or 'execute' appear alongside positive terms, which is prone to accidental activation in ordinary conversation. Because this skill already has severe domain confusion, loose trigger matching increases the probability that the wrong execution path is entered without clear user intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Several sample trigger phrases are overly generic finance terms, making it easy for normal discussion to be misinterpreted as a request to invoke the skill. In a misconfigured skill that already mixes ABS modeling and stock backtesting, broad triggers materially increase unintended activation risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The manifest specifies automatic writing of a .skill file after successful execution, but the user is not clearly warned at the moment this persistence occurs. Silent persistence is risky because it alters the environment and creates durable artifacts without explicit, context-specific consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal