ClawHub

Arch Garch Volatility

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but its advertised GARCH analysis purpose is mixed with broader ZVT data collection, backtesting, broker-adjacent, and trading-execution instructions that need review before use.

Install only if you intend to use a broad ZVT/quant-strategy helper, not just a GARCH volatility model assistant. Keep it backtest-only, run setup in an isolated Python environment, avoid broker-connected QMT or paid-provider credentials unless explicitly needed, and do not allow it to place or automate real trades without separate confirmation and controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (16)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill is presented as a GARCH volatility-modeling capability, but its documented pipeline and prompts expand into generic data collection, factor computation, backtesting, and trading execution. This scope mismatch can cause an orchestrator or user to invoke a much more powerful trading workflow than expected, violating least-privilege and increasing the chance of unintended market actions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Including oil-price cointegration analysis broadens the skill beyond the stated GARCH/Sharpe/SPA scope and signals that the skill may execute unrelated quantitative workflows. This weakens trust in the skill contract and can lead agents to load or authorize capabilities that were not expected from the manifest.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The documentation introduces trading-execution behavior, order semantics, and fatal trading rules even though the declared purpose is volatility modeling and statistical evaluation. In an agent ecosystem, this is dangerous because it can silently escalate from analytics into action-taking behavior, potentially causing unauthorized trades or unsafe automation.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The top-level description advertises a narrow statistical modeling tool, but the body describes a broader strategy, backtesting, and trading system. This inconsistency can mislead policy engines, reviewers, and users about what the skill is capable of, increasing the risk of overbroad access and unsafe invocation.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The human summary describes a broad ZVT-based quant strategy and backtesting assistant, while the skill metadata says the skill is for ARCH/GARCH volatility modeling and related statistical tests. This scope mismatch can cause the orchestrator or user to invoke the skill for tasks it was not intended or reviewed to perform, increasing the chance of unsafe tool use, misleading outputs, or routing sensitive financial workflows to the wrong capability.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The summary explicitly frames the skill as focused on ZVT and A-share strategy construction, which contradicts the declared ARCH/GARCH statistical modeling purpose. This inconsistency is dangerous because users and calling systems may trust the human-facing summary over the formal metadata, leading to confused-deputy behavior, improper invocation, and reduced transparency about what the skill actually does.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata presents a narrow ARCH/GARCH volatility-analysis capability, but the seed actually defines a much broader ZVT trading/backtesting system with data collection, target selection, trading execution, and visualization. This capability mismatch is dangerous because it can cause users or hosts to authorize a seemingly low-risk analytical skill while actually installing or invoking a materially more powerful trading-oriented workflow.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The human-facing summary claims the skill helps build A-share quant strategies with ZVT, including MACD backtests and end-to-end trading workflows, which directly conflicts with the declared ARCH/GARCH volatility-modeling purpose. This is dangerous because user-facing text is what operators often rely on for trust decisions; misleading summaries can smuggle in broader powers than expected.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The seed includes explicit trading execution semantics, order-ordering rules, and market-execution constraints even though the stated skill purpose is limited to volatility modeling, forecasting, and statistical inference. Hidden execution semantics materially increase risk because they introduce behavior with financial and operational consequences that a user would not reasonably expect from an analysis-only skill.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The seed requires installation and use of the ZVT trading/data framework and market-data recorders, which is inconsistent with a skill presented as an ARCH/GARCH analysis tool. This is dangerous because it expands the dependency and operational surface area to include persistent data directories, recorder tooling, and trading-oriented infrastructure that users did not knowingly authorize.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The post-install and user-facing positioning says the skill helps build A-share quant strategies with ZVT, contradicting the manifest description of an ARCH/GARCH volatility-modeling skill. Contradictory positioning is a red flag because it suggests intentional concealment or bait-and-switch, making it easier to deploy unexpectedly broad financial workflows under a narrower label.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The execute trigger is broad and based on generic intent matching plus common action verbs like run, execute, backtest, fetch, and collect. Such loose activation criteria increase the chance of accidental invocation, especially in multi-skill environments where ordinary user requests could trigger a sensitive quantitative or trading-related workflow.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Several trigger phrases are generic, such as bootstrap, model comparison, and cointegration, and are not sufficiently bound to this skill's declared scope. In a shared agent environment, these terms can overlap with many unrelated tasks, causing the wrong skill to activate and exposing users to unintended behaviors or outputs.

Vague Triggers

Medium
Confidence
85% confidence
Finding
Phrases like 'Just tell me what you want; I'll write the code' and broad end-to-end strategy assistance language are overly generic and can trigger the skill for a wide range of finance requests unrelated to volatility modeling. In an agent environment, this increases the attack surface by making accidental or inappropriate invocation more likely, especially when combined with the already-misaligned description.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The execute trigger matches broad positive terms plus generic action verbs like run/execute/backtest/fetch/collect, making unintended invocation more likely. In the context of a skill that already appears to expose broader-than-declared trading/data behaviors, loose triggering increases the chance of accidental activation of sensitive workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The manifest says the system will write a persistent .skill file after execution, but there is no clear upfront warning or opt-in around this artifact creation beyond a narrow opt-out flag. Silent persistence is risky because it modifies the user's environment and may create reusable capabilities or state the user did not intend to save.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal