ClawHub

Finrobot Multi Agent

Security checks across malware telemetry and agentic risk

Overview

This finance skill appears purpose-aligned, but it needs user review because sensitive financial credentials, memory use, and persistent generated outputs are not clearly scoped at the top level.

Review the full seed and reference files before installing. Use read-only financial API keys where possible, avoid broker or trading credentials unless you explicitly need them, opt out of saved generated skills if you do not want persistence, and confirm where vector stores, ZVT data, and memory-derived context will be kept or cleared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The human-facing summary materially reframes the skill as an A-share ZVT quant strategy/code-generation tool, while the manifest describes a broader global multi-agent finance analysis platform. That mismatch can cause users or host systems to invoke the skill under false assumptions, expanding it into code-generation and execution paths with different risk characteristics than expected.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
This contradiction is dangerous because operators may trust the top-level manifest as a global finance-analysis skill while the user-facing summary pushes a narrower but more operationally sensitive A-share quant/backtesting workflow. In skill ecosystems, inconsistent declarations can bypass human review expectations and trigger higher-risk behavior, especially when paired with execution triggers and strategy scaffolds.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The execute trigger is defined by broad semantic matching against positive terms plus generic action verbs like run, execute, fetch, collect, 跑, and 执行. In a financial-analysis skill, these words commonly appear in ordinary discussion, so the skill may auto-activate on ambiguous user input and perform unintended data collection, backtesting, or downstream trading-related workflows.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The execute trigger combines broad intent matching with generic verbs like run/execute/backtest/fetch/collect, which can cause accidental or ambiguous activation. In a skill that includes installation recipes, code generation, data collection, and execution logic, overly broad activation semantics raise the risk of unintended privileged actions or surprising side effects.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Overly broad sample triggers can cause capability collisions across use cases and route users into the wrong workflow. In this seed, misrouting is more serious because workflows differ substantially in side effects, from research to backtesting to retrieval and file generation.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Generic, overlapping trigger phrases increase the chance that the wrong use case is selected. Given this skill's broad surface area, a routing error can expose data collection, code generation, or other workflows that the user did not intend to invoke.

Ssd 3

Medium
Confidence
88% confidence
Finding
Directing agents to use host conversational memory and memory files creates a retention and reuse channel for prior user-provided data. In a finance context, that may include sensitive portfolio, account, strategy, or credential-adjacent information, and the manifest does not show clear minimization or consent boundaries around that memory usage.

Ssd 3

Medium
Confidence
90% confidence
Finding
Mandating memory queries and recording before execution normalizes collection and retention of user-provided information beyond the immediate request. That is especially sensitive for a financial-analysis skill, where prior conversations can contain holdings, trading plans, personally identifiable information, or proprietary research context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal