ClawHub

Advanced Financial Ml

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it mixes unrelated finance/documentation scopes and includes trading, broker, local setup, and automatic skill-saving behavior that users should review carefully.

Install only if you specifically want a ZVT/A-share quant helper and are comfortable reviewing generated financial code. Use an isolated Python environment before running suggested pip or recorder commands, do not connect broker or paid-provider credentials unless you explicitly intend that workflow, and disable or decline any automatic saving of new skill files unless you want the agent to persist that behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as a financial ML/backtesting capability, but its top use case is Sphinx documentation configuration. This kind of capability/use-case mismatch can cause the agent to load or invoke the skill under the wrong circumstances, confusing routing and expanding access beyond what the user intended. In a finance-oriented skill, such ambiguity is more dangerous because the same file also references trading and data workflows, increasing the chance of accidental misuse.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documented pipeline includes data collection, storage, and trading execution, which implies operational market actions, while the surrounding description frames the skill as a research/backtesting tool. This discrepancy can mislead an agent or user into enabling execution-capable behavior when they expected offline analysis only, creating a meaningful risk of unintended external actions in a financial context.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The human summary describes a ZVT-based quant workflow while the skill metadata says the skill is for MlFinLab. This mismatch can cause the agent to invoke the wrong skill, generate incorrect code, or route users into unsupported tooling and data-provider assumptions, which is especially risky in financial analysis where users may act on faulty backtests or strategy outputs.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The seed metadata, intent routing, and exposed use case materially mismatch the declared skill identity. A user invoking an 'advanced-financial-ml' MlFinLab skill could be routed into unrelated ZVT/A-share or documentation behavior, which is dangerous because capability confusion in agent skills can cause execution of the wrong workflow, misuse of local data/tools, and invalid financial outputs under false assumptions.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The post-install and human-facing text advertises ZVT quant/backtesting assistance while the skill is labeled as MlFinLab advanced financial ML. This creates deceptive operator expectations and increases the chance that users will trust the wrong constraints, data assumptions, or execution paths, especially in a finance context where look-ahead bias, venue assumptions, and market-specific rules matter.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
A documentation-generation capability is out of scope for a financial ML skill and indicates supply-chain/configuration drift. While not immediately code-execution by itself, unjustified capabilities broaden the effective attack surface and can cause agents to take actions unrelated to the user's expected domain, undermining trust boundaries and policy selection.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The intent router exposes a Sphinx documentation workflow instead of financial ML operations, meaning normal user requests may be misclassified into an unrelated action path. In an agent setting, incorrect routing is security-relevant because it can bypass the expected preconditions, safeguards, or disclosure model for the intended task.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The artifact simultaneously claims ZVT trading/backtest assistance in embedded descriptions while only exposing a Sphinx documentation route. Contradictory capability claims are dangerous because they can mislead the host or user about what will happen at execution time, creating unsafe reliance on nonexistent safeguards or on the wrong market/trading assumptions.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger condition matches broad intent terms plus generic action verbs such as run, execute, backtest, fetch, or collect. Overly broad triggers can cause unintended activation for loosely related requests, especially when the skill also claims wide financial data and trading functionality, which increases the blast radius of mistaken invocation.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Phrases like 'Just tell me what you want; I'll write the code' are overly broad and can trigger the skill for requests beyond its intended scope. In combination with the scope mismatch, this increases the chance of unintended activation and misleading financial code generation for unsupported tasks or markets.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The execute trigger combines generic action verbs with broad positive terms, increasing the risk of unintended activation. In a skill that references installation, execution, and financial workflows, accidental triggering can cause the agent to enter an execution path when the user only intended discussion, which is especially risky in finance-related contexts.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
The natural-language copy defaults users into an A-share framing without clear opt-in, which can silently bias downstream assumptions about market structure, transaction costs, T+1 rules, and data sources. In a financial skill, hidden default market assumptions can invalidate analysis or cause inappropriate execution logic to be selected.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal