ClawHub

Aml Data Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised as an AML data generator, but its own instructions also steer agents into stock/crypto quant trading, backtesting, broker/provider setup, and unpinned package installation.

Install only if you intentionally want a mixed AMLSim and ZVT quant-trading assistant. Do not allow package installs, broker/provider credentials, paid data providers, market-data recorders, or trading/backtest execution unless you explicitly reviewed the commands and are using a sandbox with non-sensitive data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (16)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill claims to generate AML simulation data, but substantial sections describe securities/crypto data collection, factor computation, backtesting, and trading execution. This scope drift can cause an agent to invoke the wrong workflows or request unrelated financial/trading inputs, creating a prompt/intent confusion condition that is especially risky in an automated skill-routing environment.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The declared pipeline includes trading-oriented stages such as factor_computation, target_selection, and trading_execution, which directly contradict the stated purpose of transforming transaction logs into AMLSim datasets. In an agent ecosystem, inconsistent operational steps can lead to unintended tool use or execution of financially sensitive actions outside the user's actual request.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The human summary describes a quant-strategy and backtesting assistant using ZVT, which materially contradicts the declared AML data generator purpose. This can cause the agent to be invoked for unrelated financial-code tasks, leading to scope confusion, unsafe tool use, and user trust issues because the skill presents capabilities outside its approved function.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented capabilities extend well beyond the manifest by advertising stock data collection, factor screening, and trading/backtesting workflows unrelated to AML simulation. Overbroad capability claims increase the chance of improper routing, accidental execution of unintended workflows, and misuse of the skill in contexts where it has not been reviewed or constrained.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file defines trading-system semantic locks and zvt market-data setup steps that are unrelated to the declared AML synthetic transaction generation purpose. This mismatch can mislead an agent into executing irrelevant financial-trading workflows, installing unexpected dependencies, or using the wrong data/model assumptions, which is dangerous because skill reference files may steer runtime behavior and operator trust.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The documented intent focuses on trading execution rules, market indicators, and stock-data prerequisites, directly contradicting the skill's AML data-generation description. In an agent setting, contradictory documentation is risky because it can cause the system or a human reviewer to apply the wrong operational context, producing incorrect outputs or triggering unintended commands and dependency setup.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The skill metadata says it is an AML synthetic-data generator, but the referenced seed content in this region defines execution behavior for a different capability family centered on ZVT trading/backtesting workflows. This is dangerous because it creates a deceptive trust boundary: a user or host may approve installation expecting offline AML data tooling, while the skill actually routes into unrelated market/trading behaviors and dependencies.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This section implements architecture, scaffolding, and acceptance gates for trading/backtest workflows that do not belong in an AML synthetic-data generator. Hidden capability expansion is dangerous because it can cause the host to execute code paths, install packages, and generate outputs outside the user's expected scope, increasing the chance of unauthorized or unsafe operations.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The file introduces quant-trading and live-style execution capabilities that are unjustified by the declared AML data-generation purpose. In a skill system, unjustified execution capability is dangerous because it expands what the agent may do under a misleading label, potentially triggering market-data access, backtesting, or operational actions a user never intended to authorize.

Intent-Code Divergence

Critical
Confidence
99% confidence
Finding
The user-facing summary explicitly claims the skill helps build A-share quant strategies with ZVT, directly contradicting the AML data-generator identity. This is especially dangerous because user-facing summaries shape operator trust and consent; deceptive UX can induce users to install or invoke a skill under false assumptions about what code and workflows it contains.

Intent-Code Divergence

Critical
Confidence
99% confidence
Finding
These prompts and summaries steer the user toward ZVT market-data and backtesting tasks rather than AML simulation workflows. Because this content guides invocation, it materially increases the risk of unintended or unauthorized use of unrelated capabilities and confirms that the skill is effectively masquerading as something else.

Vague Triggers

High
Confidence
94% confidence
Finding
The execute trigger is broadly defined around vague intent matching plus common action verbs like run/execute/fetch/collect, without tightly binding those actions to AML-specific semantics. This increases the chance of accidental or adversarial invocation, causing the wrong skill to activate and potentially process unrelated or sensitive financial tasks.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Several trigger phrases are generic enough to overlap with ordinary user language, which can cause unintended routing or activation. While less severe than direct command execution flaws, ambiguous triggers in an agent skill can still mis-handle user intent and pull the workflow into an unrelated financial domain.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Phrases such as 'Just tell me what you want; I'll write the code' are overly broad and can match ordinary user requests unrelated to AML data generation. In the context of a mislabeled skill, this broad invocation language makes accidental triggering and cross-domain misuse more likely, amplifying the scope-confusion risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger term "validation" is overly broad and can match many unrelated user requests, causing accidental invocation of this skill. In the context of an already scope-confused skill, broad triggers are more dangerous because they increase the chance that the wrong capability set is activated under innocent user input.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The phrase "simulation accuracy" is ambiguous and may match unrelated simulations, not specifically AMLSim alert validation. Ambiguous routing increases the chance of unintended skill activation and, given the broader manifest inconsistencies, can funnel users into workflows they did not request.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal