ClawHub

Alphalens Factor Analysis

Security checks across malware telemetry and agentic risk

Overview

This finance-analysis skill includes unrelated documentation/deployment workflows and execution/persistence behaviors that need careful review before use.

Install only if you are comfortable with a broad quant-workflow assistant, not just a read-only factor-analysis helper. Review the seed instructions first, use an isolated Python environment, avoid broker or paid-provider credentials unless explicitly needed, and require confirmation before package installs, code execution, data recorder runs, or saving generated skills.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (19)

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill is presented as factor-analysis/reporting, but its documented pipeline explicitly includes data collection, storage, target selection, and trading_execution. This scope expansion can cause an agent to invoke the skill in situations that lead to live or semi-live trading actions rather than offline research, creating a dangerous capability mismatch.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented use cases include documentation deployment and Sphinx configuration, which are unrelated to quantitative factor analysis. This kind of mixed-purpose capability description increases the chance of accidental invocation, unsafe tool routing, or privilege creep into file-system/build/deployment actions that users would not expect from a finance-analysis skill.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Documentation deployment is context-inappropriate for a factor-analysis skill and represents unjustified extra capability. In agent ecosystems, capability drift like this can expose build, publish, or file modification actions under the cover of an analytics tool, increasing the attack surface and likelihood of unintended side effects.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Sphinx configuration is not justified by the stated purpose of factor analysis and introduces unrelated operational behavior. Even if included accidentally from a shared template, this mismatch can misroute agent behavior toward environment or project configuration changes rather than analysis tasks.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The human-facing summary claims a broad end-to-end quant strategy builder that can fetch data, write code, and backtest, while the declared skill is only for Alphalens-style factor analysis. This scope inflation can mislead users into granting broader trust and using the skill for actions outside its reviewed purpose, increasing the chance of unsafe code generation, data misuse, or unauthorized workflow execution.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Advertising unrelated capabilities such as Sphinx documentation configuration and deployment is inconsistent with a factor-analysis skill and suggests either copy-pasted metadata or deceptive overclaiming. Even if not directly exploitable as code execution, this misrepresentation broadens perceived authority and may cause users or orchestrators to invoke the skill in unintended contexts.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The seed for an Alphalens factor-analysis skill also exposes documentation deployment/configuration workflows, creating a clear scope mismatch between declared purpose and actual behavior. In an agent setting, this kind of capability confusion is dangerous because unrelated commands may be routed into execution paths the user did not intend, increasing the chance of unauthorized code execution, package installation, file modification, or misleading output.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The intent router includes documentation-oriented commands unrelated to factor analysis, which means normal requests like 'docs' or 'build' could activate this skill despite its advertised finance-analysis role. That expands the reachable attack surface and makes accidental or adversarial invocation easier, especially because the execution trigger already relies on broad positive-term matching and action verbs.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The human-facing summary claims end-to-end ZVT strategy building and backtesting, which materially exceeds the manifest’s narrower Alphalens analysis/reporting description. This is dangerous because users may trust the broader claims and authorize actions involving data collection, strategy generation, or execution scaffolding that they did not expect from a reporting-oriented skill.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Including documentation deployment/build capability in a factor-analysis skill is unjustified privilege expansion: build/deploy workflows can install packages, read and write project files, and trigger code execution that has nothing to do with financial analysis. In a hostile or confused-deputy scenario, that lets an attacker smuggle operational tasks behind a benign-seeming analysis skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The seed declares generic collector, training, and serving entry points beyond the stated factor-analysis purpose, which broadens the executable surface from analysis into data ingestion, model building, and service operation. Even if not immediately malicious, these latent modes increase the risk of unintended side effects, persistence, and misuse once the skill is invoked under ambiguous intent matching.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The post-install positioning says the skill builds A-share quant strategies with ZVT from data fetch to backtest, directly contradicting the manifest’s Alphalens factor-analysis description. This kind of misleading positioning is dangerous because it encourages users to trust broader operational powers than expected and can socially engineer them into approving installs, execution, or file changes outside the advertised scope.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The human summary presents the assistant as a ZVT strategy/backtest builder rather than an Alphalens analysis tool, creating a materially false representation of what the skill can do. In agent ecosystems, deceptive or inaccurate self-description is risky because it changes user trust boundaries and can cause approval of higher-risk actions such as data fetching, code generation, and backtest execution.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrases are broad and generic enough to overlap with ordinary user language, increasing the risk that the skill activates when the user did not intend to use it. In this context, accidental activation is more dangerous because the skill metadata also mixes in trading and deployment-adjacent capabilities, so a false trigger can lead to inappropriate actions or recommendations.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The execute trigger condition is ambiguous: it relies on loosely defined positive terms plus common action verbs like run/execute/跑/执行/backtest/fetch/collect. Such ambiguity can cause the skill to fire on normal conversation or on requests for data collection, and because the skill scope includes trading-related pipeline stages, the resulting misactivation carries meaningful operational risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Broad trigger keywords overlapping with common speech make unintended invocation much more likely, especially in conversational systems where users use short informal prompts. Combined with this skill’s expanded hidden scope, accidental activation can lead to package installs, file writes, or execution paths unrelated to what the user meant.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The execution trigger uses broad action verbs like run/execute/backtest/fetch combined with positive-term matching, which is too permissive for a skill that can install packages and write files. This increases the chance of false activation and creates a confused-deputy risk where benign requests are interpreted as permission to perform system-affecting actions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Post-install sample triggers are generic enough that users may unintentionally invoke this skill during unrelated conversations, especially for terms like 'build', 'config', or 'portfolio'. In context, this is more dangerous because the skill already suffers from scope confusion and includes execution-capable workflows beyond the stated Alphalens role.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest specifies automatic file writing of saved skills after hard gates pass, but the behavior is not prominently disclosed near the action itself. Silent persistence is risky because it modifies the user environment and creates durable artifacts without a clearly localized, upfront consent boundary, which is especially problematic in a skill that already mixes unrelated capabilities.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal