ClawHub

Bt Portfolio Backtest

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it presents itself as a bt portfolio backtest helper while instructing broader ZVT data collection, provider or broker credential use, and local persistence.

Review this before installing. Use it only if you intentionally want a ZVT-style quant workflow, not just a bt portfolio backtest. Run any pip, zvt.init_dirs, recorder, or provider commands in an isolated environment, avoid broker-linked credentials unless explicitly needed, and require confirmation before data collection or saving generated skill files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The human summary materially misrepresents the skill as a ZVT-based end-to-end quant/trading workflow for A-share, HK, and crypto, while the declared skill scope is a bt-based portfolio backtesting tool. This kind of scope drift can cause an agent or user to invoke the skill for unintended data acquisition, trading, or unsupported market workflows, increasing the chance of unsafe code generation, misuse, or reliance on nonexistent controls.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented use cases advertise capabilities beyond portfolio construction/backtesting, including market-data collection, factor pipelines, target selection, and trading workflows. Overstated capabilities are dangerous because downstream agents may trust the summary as authorization to perform broader actions than intended, leading to incorrect tool selection, excessive permissions assumptions, or unsafe financial-analysis outputs.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The seed file is materially misaligned with the declared skill identity: a bt portfolio backtest skill is presented as a much broader ZVT-based agent with data collection, persistence, factor pipelines, and trading workflows. This is dangerous because users and host systems may grant permissions, route intents, or trust outputs based on the narrow manifest while the actual artifact can trigger a wider operational surface than expected.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented capabilities expand far beyond the stated bt portfolio construction use cases into factor research, screening, MACD strategies, and end-to-end trading workflows. This overbroad capability declaration increases the chance of accidental or unauthorized invocation of functions the user did not intend to enable.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill includes external market-data collection and credentialed provider integration despite being described as a bt backtesting skill. That broadens the trust boundary from local analysis to network/data-provider interactions, which can expose credentials, pull unintended data, or create side effects inconsistent with user expectations.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Advertising collector, factor, training, serving, and research entry points inside a skill supposedly dedicated to backtesting creates an unnecessary execution surface. Multiple unrelated modes increase misuse risk and make it easier for routing logic or downstream tooling to invoke operations with very different side effects than expected.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The post-install and human-summary text actively rebrands the skill as a ZVT A-share strategy assistant, directly contradicting the declared bt portfolio backtest identity. This is especially risky because user-facing documentation influences trust and invocation behavior; misleading summaries can cause users to authorize actions or provide credentials under false assumptions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The execute trigger is defined with broad semantic matching terms plus generic action verbs, which can cause the skill to activate on loosely related user requests. In an agent setting, unintended invocation can lead to the wrong tool or workflow being selected, causing unauthorized data collection, backtest execution, or misleading financial outputs without clear user consent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The execute trigger matches broad intent terms plus generic action verbs like run/execute/backtest, which can cause unintended activation. In a skill that already has scope drift and multiple execution modes, loose triggering increases the probability of accidental execution of data collection or analysis flows the user did not explicitly request.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Using common phrases as direct-invocation sample triggers encourages overly permissive routing and accidental activation. Because these phrases are generic finance terms, they may be spoken in exploratory discussion and still be interpreted as commands, especially in hosts with automatic intent execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal