ClawHub

Cuemacro Finmarket

Security checks across malware telemetry and agentic risk

Overview

The skill is instruction-only, but its public purpose and its operational instructions disagree in ways that could route finance work to the wrong market, framework, data sources, or storage path.

Review this skill carefully before installing. Treat it as a Review item because the advertised FX/finmarketpy scope does not match the ZVT/A-share instructions it may actually follow. Use an isolated Python environment, avoid live trading credentials, prefer read-only data-provider keys, choose storage paths and S3 buckets deliberately, and verify any generated code before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The human-facing summary materially misrepresents the skill’s purpose by emphasizing ZVT/A-share workflows instead of the manifest’s stated FX G10 backtesting and ArcticDB/Quandl tooling. This can cause users or orchestration systems to invoke the skill in the wrong context, leading to unsafe or unintended actions, incorrect code generation, and misuse of data providers or trading workflows.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The tagline presents a primary workflow that conflicts with the documented core intent of the skill, creating a deceptive entry point for users and automated routing logic. In agent systems, mismatched intent metadata can cause incorrect tool selection and execution under false assumptions, which is a real security and reliability risk.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The seed manifest and the embedded behavior are materially inconsistent: the skill is advertised as finmarketpy/FX G10, but the operational requirements and assumptions are for ZVT/A-share workflows. This can cause an agent to install the wrong packages, ask for the wrong inputs, and execute an unintended financial workflow, which is dangerous in a trading context because users may rely on outputs that do not correspond to the requested market or framework.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The architecture section defines a ZVT equity trading pipeline, including A-share semantics and ZVT-specific execution rules, rather than the declared finmarketpy FX backtesting framework. This type of semantic mismatch is hazardous because it drives the agent's control flow and code generation behavior, so the skill may execute a different capability than the one the user selected.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The human-facing summary explicitly tells users the skill builds A-share strategies with ZVT, contradicting the metadata and use cases that present it as a finmarketpy FX market-data/backtesting skill. Misleading operator-facing documentation increases the chance of unsafe or incorrect execution because users and hosts may authorize actions under false assumptions about asset class, framework, and data sources.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The post-install notice states the skill is for A-share with ZVT, while the skill metadata and named use cases center on finmarketpy FX and market-data tasks. This inconsistency is dangerous because post-install messaging is often the first operational guidance a user sees, and it can steer them into the wrong execution path or trust incorrect capabilities.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The scaffold exposes extra entry points such as training and serving that are not justified by the stated purpose of a backtesting/data-storage skill. Unnecessary capability surface increases the chance of accidental invocation, privilege expansion, and unsafe code generation paths that were not reviewed for this skill's intended scope.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes broad, generic finance terms such as market data, aws, and fetch data, which can match many unrelated user requests and cause the skill to activate outside its intended scope. In a skill that can access external data sources and storage backends, overbroad routing increases the chance of unintended execution and misuse of connected capabilities.

Vague Triggers

High
Confidence
95% confidence
Finding
The execution rule activates when intent matches positive terms and the user uses a common action verb like run, execute, backtest, fetch, or collect, which is an ambiguous condition likely to fire on ordinary discussion or exploratory requests. Because this skill interfaces with market data vendors, local databases, and S3 storage, accidental invocation could trigger external calls, data writes, or costly operations without sufficiently clear user consent.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The phrase 'Just tell me what you want; I'll write the code' is overly broad and unconstrained, which can trigger the skill on vague requests and encourage open-ended code generation outside its intended scope. In an agent environment, ambiguous activation language increases the chance of inappropriate invocation, overreach, or generation of code for unsupported or sensitive tasks.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Repeating the same unconstrained tagline reinforces ambiguous activation conditions and broadens the chance that routing or users interpret the skill as a general-purpose coding agent. This is especially problematic because the repeated wording also conflicts with the declared skill focus, compounding misrouting risk.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The execute trigger uses broad positive terms plus generic action verbs like run, execute, backtest, and fetch, which can match normal conversational finance requests. That makes unintended skill activation more likely, potentially causing the agent to enter execution mode, install packages, or produce code when the user only wanted discussion or analysis.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Using 'backtest' as a sample trigger is too generic because it overlaps with ordinary finance conversations and many unrelated tools. In a skill system, overly broad triggers can misroute user intent and activate the wrong workflow, especially when combined with already broad execute conditions.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase 'market data' is broad enough to match many benign questions that are not requests to invoke this specific skill. In this context, broad routing is more dangerous because the file already contains conflicting framework definitions, so accidental activation may send users into the wrong market or toolchain.

Vague Triggers

Low
Confidence
88% confidence
Finding
The trigger 'aws' is highly generic and may collide with many unrelated infrastructure or cloud-storage questions. While lower impact than execution-specific triggers, it still broadens the invocation surface and can misclassify user intent into this skill unnecessarily.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal