ClawHub

Daily Stock Analyzer

Security checks across malware telemetry and agentic risk

Overview

This finance skill is not clearly malicious, but it bundles broad trading, hosting, notification, diagnostics, persistence, and portfolio/account capabilities under a narrower daily stock-analysis description.

Install only after reviewing and constraining it as a broad finance automation skill, not just a daily stock analyzer. Use read-only data credentials where possible, avoid broker/trading permissions unless deliberately needed, disable server, bot, diagnostics, and notification features by default, confirm what data is stored, and treat all buy/hold/sell output as informational rather than financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest presents a narrow daily stock analysis skill, but the body expands into a broader quant strategy and trading pipeline platform. This scope drift can cause an agent or user to invoke capabilities involving code generation, backtesting, data operations, or trading-related workflows that were not clearly disclosed or reviewed, increasing the chance of unsafe financial automation.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Documenting a RESTful backend with CORS and static frontend hosting materially expands the skill from analysis into service deployment. That broadens the attack surface and may encourage exposing financial or agent functionality over a network without the manifest, safeguards, or deployment constraints clearly covering those risks.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The triggering and prompt guidance advertise backtesting, provider selection, data collection, and custom strategy construction beyond the declared stock-signal scenarios. In a finance skill, this can lead to unintended execution of more powerful workflows and generation of trading logic the user did not explicitly request under a properly bounded risk model.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The human summary materially expands the skill from a narrow daily stock analysis assistant into a general ZVT-based quant strategy, backtesting, and code-generation assistant. This mismatch can mislead the orchestrator or user into granting the skill broader authority and handling requests outside its declared scope, increasing the chance of unsafe tool use or unintended execution paths.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Claiming the ability to build arbitrary quant-strategy code and RESTful backend services goes beyond the stated skill purpose and can cause the agent to solicit or generate operational code not intended by the skill’s trust boundary. In an agent environment, capability overstatement is dangerous because it can trigger code-generation, infrastructure guidance, or service-building behaviors that bypass user expectations and platform review.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The seed file's declared capabilities materially exceed the skill's advertised scope, adding API hosting, AI asset validation, environment testing, index generation, backtesting, and portfolio features to what is presented as a daily stock analysis/push skill. This scope mismatch is dangerous because users or host routers may invoke powerful side capabilities they did not consent to, increasing attack surface and enabling unintended execution paths.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The notification surface is broader than the manifest suggests, with multiple outbound channels beyond the claimed WeChat push scope and contradictory routing text. Extra outbound integrations increase data-exfiltration and misdelivery risk because analysis results or account-linked content may be sent to channels the user did not expect or approve.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The human-facing summary repositions the skill as a broad ZVT quant/backtest assistant rather than the declared Qlib daily analyzer. Misleading user-facing capability text can cause unsafe invocation and over-trust, especially in a finance context where users may expose credentials, datasets, or operational authority based on the wrong understanding of what the skill does.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Including AI asset/governance validation inside a stock-analysis skill introduces unrelated filesystem/configuration inspection behavior. That broadens privilege expectations and can expose repository structure, governance files, or internal configuration paths outside the user's intended task.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Environment/configuration testing adds capabilities such as checking .env loading, database connectivity, API availability, LLM calls, and notification tests that exceed end-user analysis needs. In practice this can reveal sensitive operational details and trigger network actions under the guise of a normal analysis skill.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Unrelated data-pipeline utilities for stock-index generation and market-list export enlarge the callable surface far beyond daily analysis. These functions may perform bulk data collection or file generation, creating opportunities for unintended resource use, data leakage, or abuse through ambiguous routing.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The notification use case is internally inconsistent: it names Server酱3, the manifest emphasizes WeChat push, and the wider file supports many channels. Such contradictions are risky because operators and users cannot reliably infer where outputs will be sent, increasing the chance of accidental disclosure or hostile rerouting of reports.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The execute trigger is broad and based on generic intent matching plus common action verbs, making accidental activation plausible. In a trading-related context, unintended invocation can cause unauthorized analysis flows, code generation, or recommendation output that users may act on as if deliberately requested.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Several trigger phrases are generic and likely to overlap with normal conversation, increasing the chance the skill activates when the user is merely discussing stocks, APIs, or tools. In a financial-advice setting, that ambiguity is more dangerous because generated outputs may be interpreted as actionable recommendations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises automated buy/hold/sell recommendations and WeChat push delivery without clear user-facing warnings, consent, or decision-risk framing. In finance, automated recommendation distribution can amplify harm because users may rely on outputs for real money decisions or receive unsolicited high-impact notifications.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Broad phrasing such as 'Just tell me what you want; I'll write the code' and a wide list of use cases can make the skill activate for loosely related quant, coding, or market-analysis requests. Unintended activation increases the risk that the wrong skill handles a request, exposing users to incorrect outputs, unnecessary data access, or actions beyond the reviewed purpose.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The execute trigger combines broad intent matches with generic verbs like run/execute/fetch/collect, making accidental or adversarial invocation much easier. In a skill with installation recipes, data collection, notifications, and diagnostics, ambiguous triggering can cause privileged actions to run when the user only intended a benign question.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal