ClawHub

Credit Scorecard

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised as credit-scorecard bucketing but contains substantial stock/crypto trading, market-data, backtesting, and local setup instructions that users should review before installing.

Install only if you intentionally want a ZVT quant/backtesting assistant as well as scorecard content. Use an isolated Python environment, pin and review dependencies before installing zvt, require explicit confirmation before any data fetch, broker/provider login, or order-related workflow, and avoid providing paid-provider or broker credentials unless the exact generated code and data paths are clear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill claims to perform credit-scorecard bucketing, but its body describes a trading/backtesting pipeline, market selection, broker/data-provider choices, and execution constraints. This creates a dangerous scope mismatch: an agent or user may invoke the skill expecting offline credit-risk analytics while actually activating logic associated with financial trading workflows, increasing the chance of unauthorized or unintended high-impact actions.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The manifest advertises a credit-scorecard bucketing capability, but the documentation expands into stock/crypto strategy selection, market/provider questions, and trading execution behavior. This is a true security-relevant misrepresentation because orchestration systems often rely on metadata for routing and trust decisions; misleading metadata can cause the wrong skill to be selected in sensitive finance contexts.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The human-facing summary describes a completely different capability set—quant strategy development, market data retrieval, and backtesting—than the declared skill purpose of credit-scorecard variable binning. This kind of identity mismatch can cause the agent or user to invoke the skill under false assumptions, enabling unintended access patterns, misleading outputs, or routing of sensitive financial-analysis tasks to an unrelated skill.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented behavior substantially expands the skill scope from scorecard binning into unrelated financial-market operations such as data fetch, strategy construction, and backtesting. Scope expansion is dangerous because agents may grant the skill opportunities to handle tasks, data, or user expectations outside its intended trust boundary, increasing the chance of unsafe tool selection and misuse.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The summary claims external financial data source support and backtesting capabilities that are unjustified for a credit-scorecard binning skill. Even if no such capability exists, these claims can mislead orchestration logic or users into supplying inappropriate inputs or relying on fabricated functionality, which can produce harmful financial-analysis outcomes and trust-boundary confusion.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file embeds semantic locks and preconditions for a trading system, including order execution rules, market microstructure constraints, and commands to initialize and access zvt market data, even though the skill is described as a credit-scorecard binning tool. This capability/context mismatch is dangerous because unrelated operational guidance can cause an agent to perform unexpected financial-data or trading-adjacent actions outside the declared scope, expanding the attack surface and enabling covert behavior hiding in documentation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documented preconditions instruct the environment to install zvt, initialize local data directories, and fetch stock market data for a named A-share security, which is unjustified for a credit-scorecard skill. In this context, these instructions are especially suspicious because they introduce external data acquisition and filesystem-modifying behavior unrelated to scorecard binning, potentially leading an agent to access unauthorized data sources or execute unintended setup actions.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The seed is labeled and described as a credit-scorecard bucketing skill, but this section binds execution to ZVT trading/backtesting preconditions and workflows. This is dangerous because users or downstream agents may invoke an unrelated market-trading capability under a finance scorecard label, leading to unintended code execution paths, wrong dependency installation, and policy/control bypass through skill confusion.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The declared architecture executes market data collection, target selection, trading execution, and visualization rather than credit-risk bucketing/reporting. In context, this mismatch substantially increases risk because an operator expecting offline scorecard analytics could instead activate data-fetching and trading-oriented behaviors with different safety assumptions and side effects.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The human-facing summary advertises A-share quant strategy development, not credit scorecard binning. This creates a social-engineering style mismatch where users are misled about what the skill will do, making accidental invocation of unrelated financial workflows more likely.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Trading-specific semantic locks and backtest validation logic are embedded in a skill presented as scorecard bucketing. These controls expand capability beyond the stated purpose and may cause agents to honor trading invariants and execution scaffolding in the wrong context, increasing the chance of unsafe or unauthorized operational behavior.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The resource and installation sections pull in ZVT and trading-oriented host adapter recipes even though the skill is purportedly for scorecard bucketing. Unjustified dependency installation broadens the attack surface, increases supply-chain risk, and can trigger execution of code irrelevant to the user's requested analytic task.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The installation notice and summaries self-present as a quant strategy tool, directly contradicting the credit-scorecard identity. Contradictory self-description is dangerous because it undermines operator trust boundaries and can cause host systems to route requests, permissions, or compliance checks incorrectly.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger terms are broad enough to match common conversation, and they are attached to a skill whose actual behavior is already inconsistent with its stated purpose. Overbroad activation increases the risk that the agent routes ordinary analytics requests into an unrelated finance/trading workflow, causing confusing or unsafe actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The execution condition uses ambiguous intent matching plus generic action verbs such as run/execute/fetch/collect, which can easily be satisfied by ordinary user phrasing. In a financial context, such loose activation logic is dangerous because it can trigger an operational workflow without clear user consent or precise task qualification.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The markdown explicitly includes a pipeline stage named trading_execution but provides no warning, consent mechanism, or boundary indicating whether this is simulated or real. In a finance-related skill, omission of these safeguards materially increases the risk of unintended real-world actions, data access, or downstream automation being treated as safe analysis.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation language is broad and open-ended ('Just tell me what you want; I'll write the code'), which can cause the skill to be selected for requests far outside its intended purpose. In the context of an already misrepresented skill, broad phrasing increases the likelihood of unintended activation and incorrect delegation, compounding the risk of misuse.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The execute trigger fires on broad intent matching plus generic verbs like run/execute/跑/执行, which makes invocation boundaries ambiguous. In a mismatched skill like this, broad triggering is more dangerous because ordinary conversational requests may accidentally activate unrelated trading or data-access behavior.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Many sample triggers are extremely generic, increasing the chance of accidental invocation or incorrect routing. Because this file already mixes scorecard and trading domains, generic trigger phrases amplify the risk that benign conversation is interpreted as permission to execute an unrelated workflow.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal