ClawHub

Backtrader Event Driven

Security checks across malware telemetry and agentic risk

Overview

The skill appears to advertise a narrow backtesting helper while its artifacts describe broader quant workflows, server modes, training/research paths, and persistence-like behavior that users would not reasonably expect.

Treat this as a Review item before installing. Ask the publisher to align the manifest, summary, and seed to one clear scope, or split server, training, research, collection, and persistence behavior into separately reviewed skills. If you still install it, run it in an isolated environment, require explicit confirmation before any install, data collection, server start, training, research, or skill-writing action, and review the ZVT data directories and dependencies first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The human summary materially overstates the skill's capabilities by describing a broad ZVT-based quant development workflow, while the manifest says the skill is for a narrower backtrader event-driven SMA backtest. This kind of scope mismatch can mislead users and downstream agents into invoking the skill for unsupported tasks, increasing the chance of incorrect code generation, unsafe tool use, or data-provider assumptions outside the reviewed boundary.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documentation advertises ZVT-based multi-market quant tooling that conflicts with the declared purpose of a backtrader SMA backtester. In an agent setting, this discrepancy is dangerous because the model may rely on the human summary to plan actions, causing it to produce instructions or code for unimplemented or unreviewed workflows, which breaks trust boundaries and can expand effective permissions beyond what operators expect.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill metadata advertises a narrow local backtesting capability, but the seed actually exposes a much broader operational surface including collection, training, research, serving, and skill persistence. This kind of scope mismatch is dangerous because hosts or users may grant trust, permissions, or execution approval based on the narrow description while the artifact can route into materially different workflows.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The manifest presents a backtrader SMA crossover backtester, but the operational prerequisites and user-facing guidance are centered on ZVT installation, data directories, and broader quant workflows. That mismatch increases the chance of misleading users into enabling extra packages, filesystem access, and data setup unrelated to the stated task, expanding trust and execution scope beyond what was disclosed.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
Including a serving/server capability in a skill supposedly meant for local SMA backtesting creates an unjustified remote-exposure path. Even if not immediately malicious, server entry points can introduce network listeners, long-lived processes, and data exfiltration or abuse opportunities that users would not expect from a backtest-only skill.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Training and research modes materially broaden what code the skill may generate or execute, including larger data access, experiment workflows, and model artifact handling, none of which are implied by a simple SMA backtest description. This hidden expansion is dangerous because it undermines least privilege and makes downstream review and approval decisions unreliable.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The user-facing summary markets a broad ZVT end-to-end quant assistant, contradicting the nominal backtrader-only SMA backtest scope. Misleading documentation is a security issue here because users may consent to installation, data access, and execution under false assumptions about what the skill actually is and which subsystems it may invoke.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The execute trigger is defined by a loose combination of broad intent matching and generic action verbs, which can cause the skill to auto-activate for ambiguous user requests. In an agent environment that can fetch data or run backtests, unintended invocation may trigger unnecessary computation, data access, or execution of finance-related workflows the user did not clearly request.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The execute trigger is broad enough to fire on generic finance or backtesting discussions when paired with common action verbs. Overbroad invocation criteria can cause unintended execution, dependency installation, or workflow selection without clear user intent, especially in agentic environments that auto-route based on trigger terms.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The use-case positive terms are generic enough to overlap with ordinary discussion of backtrader, moving averages, and data printing, which increases the chance of accidental routing into execution paths. In a skill that already has scope drift, loose trigger matching compounds the risk by making unintended activation more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal