ClawHub

Financial Ratios Toolkit

Security checks across malware telemetry and agentic risk

Overview

The skill is presented as a financial analysis or ratios helper, but its own instructions expand into trading strategy generation, backtesting, execution semantics, code generation, and durable skill-file writing.

Review this carefully before installing. Treat it as a trading/backtesting/code-generation skill, not a simple financial-ratios helper. Do not give it broker credentials, account access, broad filesystem write access, or permission to create/update skills unless you specifically want those capabilities and can confirm every trading or file-writing action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill declares itself as a financial analysis toolkit, but the documented pipeline explicitly includes target selection and trading execution. This creates a capability-scope mismatch that can cause an agent or user to invoke the skill for order-generation or trading workflows without the stronger approvals, guardrails, and disclosure normally required for execution-capable tools.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The use-case prompts and semantic locks go beyond passive analysis and specify trading strategy execution semantics, sell/buy ordering, next-bar execution, and signal schema constraints. Even if presented as documentation, these instructions normalize operational trading behavior inside a skill advertised as analysis-only, increasing the chance of unauthorized or accidental execution-oriented use.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The seed content materially diverges from the advertised skill identity: instead of a financial-ratios toolkit, it defines a ZVT-based A-share strategy generation, backtesting, and trading workflow. This kind of capability mismatch is dangerous because users and hosts may grant permissions, data, or trust under a much narrower expected scope, enabling unexpected code generation and trading-related actions.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The user-facing summary explicitly says the skill helps build A-share quant strategies with ZVT, which contradicts the declared financial-ratios-toolkit identity. This is dangerous because it normalizes a broader and riskier operational scope at the UX layer, increasing the chance that users trigger trading-oriented behavior they did not intend to enable.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill contains autonomous persistence behavior that writes a new .skill file after hard gates pass. Self-persistence is unrelated to the stated analysis purpose and can create unauthorized state changes, capability propagation, or durable modifications in the host environment.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Executable backtest scaffolding and code-generation pathways are not justified by a financial analysis toolkit description. This expands the skill from analysis into code emission and execution preparation, which raises the risk of unintended script generation, environment modification, and misuse of host execution facilities.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation rule matches broad intent terms plus generic action verbs like run, execute, fetch, and collect, which can unintentionally trigger the skill in loosely related conversations. In a finance context, overbroad invocation is risky because it may pull market data, generate trading signals, or steer users into execution-oriented flows without clear intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Trigger phrases such as 'financial analysis', 'overview', 'bond', or 'yield' are generic and likely to appear in many ordinary conversations. This can cause the skill to activate outside its intended context, leading to irrelevant tool use, unintended data access, or escalation into sensitive financial recommendation or trading workflows.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The execute trigger combines broad intent matching with generic action verbs such as run, execute, fetch, and collect. Overly broad activation criteria can cause unintended invocation on ordinary user requests, leading the host to enter a more privileged workflow than the user expected.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Sample triggers such as common finance terms are generic enough to overlap with normal conversation. In a skill that also includes code generation and backtesting flow, ambiguous triggers increase the chance of accidental activation and unintended operational behavior.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The screening use case exposes trigger words like search, filter, discover, gainers, and losers, which are common in ordinary user requests. Because the skill has expanded operational scope, these generic terms can create false-positive routing into execution-oriented behavior.

Ssd 4

Medium
Confidence
85% confidence
Finding
The narrative framing encourages progressive code-generation and trading workflow use despite the skill being presented as a financial analysis toolkit. That normalization is risky because it socially conditions operators to accept execution-capable behavior as routine, weakening scrutiny around a mismatched and potentially overprivileged skill.

Ssd 3

Medium
Confidence
84% confidence
Finding
The instruction to consult host conversational memory creates a pathway for prior user-provided data to influence outputs without clear minimization boundaries. In a skill that can generate code and write files, implicit reuse of memory raises the risk of leaking sensitive prior context into later artifacts or actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal