ClawHub

Finrl Rl Trading

Security checks across malware telemetry and agentic risk

Overview

This trading skill needs review because its FinRL trading identity conflicts with ZVT-focused instructions and it discusses broker/API-backed trading without clear safeguards.

Install only for controlled research or backtesting. Use an isolated Python environment, avoid connecting broker or live-trading credentials, and review generated code before execution until the publisher clarifies whether this is a FinRL or ZVT skill, pins dependencies, and documents explicit trading confirmations, limits, and credential handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The human-facing summary materially misrepresents the skill’s functionality by describing a ZVT-based quant/backtesting assistant, while the manifest says the skill performs ensemble RL automated trading. This mismatch can cause users or downstream agents to invoke the skill under false assumptions, leading to inappropriate trust, incorrect workflows, or unsafe use of trading automation capabilities that were not clearly disclosed.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file claims to be a FinRL multi-market DRL trading skill, but the post-install and human-facing sections present a different skill centered on ZVT, A-share workflows, and different tooling assumptions. This kind of identity mismatch is dangerous because users, hosts, or automated routers may invoke the wrong execution path, install the wrong dependencies, or trust capabilities the skill does not actually implement.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documented architecture describes a ZVT data/factor/trader pipeline rather than the advertised FinRL ensemble DRL system. In a security-sensitive skill host, architectural mismatch can cause policy enforcement, validations, and user expectations to attach to the wrong execution model, increasing the risk of unsafe code generation or unintended operations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The preconditions require ZVT installation, initialized ZVT directories, and local ZVT market data, which directly conflict with the claimed FinRL skill identity. This can mislead the host into executing environment checks and setup steps for the wrong framework, potentially writing files, installing packages, or querying data stores unrelated to the intended skill.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The user-facing post-install and summary content actively market the skill as a ZVT A-share assistant while the metadata describes a FinRL multi-market trading skill. User-facing contradiction is especially risky because it can socially engineer operators into granting trust, credentials, or execution approval under false assumptions about market scope, broker support, or code behavior.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The execute trigger is broad enough to activate on common verbs like run, execute, fetch, or collect whenever loosely matching trading-related terms. In a skill that can drive automated trading workflows, ambiguous activation boundaries increase the chance of unintended invocation and downstream financial actions without sufficiently explicit user consent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Generic trigger phrases such as ensemble trading, DRL training, backtesting, or A2C are broad technical terms that may appear in benign analytical conversations. Because this skill concerns financial trading, accidental invocation could initiate sensitive workflows or produce action-oriented outputs in contexts where the user intended only discussion or education.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises automated trading execution without any clear warning about financial loss, broker-side effects, or the possibility of placing real orders. In the finance context, omission of safety disclosures is especially dangerous because users may assume a research or simulation mode while the skill is framed as execution-capable.

Vague Triggers

High
Confidence
95% confidence
Finding
The execute trigger combines broad intent matching with generic verbs like run, execute, backtest, fetch, and collect. That makes accidental activation plausible for normal finance conversations, which is dangerous for a skill capable of installing packages, touching local workspaces, preparing trading code, or invoking external APIs.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Several sample triggers and intent phrases are common domain expressions like backtesting, stock trading, or Yahoo Finance, which are too generic to safely dispatch a powerful skill. In a shared assistant environment, overly broad trigger terms can hijack routine user requests and route them into this skill unexpectedly.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill advertises paper/live trading capabilities without a prominent user-facing warning about credential use, external API calls, and side effects. Even if it only paper trades, users may not realize the skill can connect to broker APIs or operate on accounts, which raises consent and operational safety concerns.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal