ClawHub

Firesale Stress Test

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised as bank stress testing, but its artifacts repeatedly steer the agent toward quant-trading, backtesting, broker/provider use, package installation, and persistent skill creation.

Install only if you intentionally want a quant-trading/backtesting assistant and are comfortable reviewing its generated code, package installs, local data writes, and any provider or broker access. Do not provide broker credentials or allow live-account use unless the workflow is explicitly simulation-only or asks for transaction-by-transaction confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill advertises a bank stress-testing capability, but the operational pipeline and prompts instead describe securities/crypto data collection, backtesting, and trading execution. This mismatch can cause an agent or user to invoke the skill under false assumptions, potentially triggering market-related actions or code paths that are outside the declared financial-risk-analysis scope.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document's detailed sections directly contradict its headline identity as a bank stress-test skill by prescribing trading and backtesting behavior. In an agent setting, this kind of spec inconsistency is dangerous because downstream routing, approval, and policy checks may rely on the declared purpose while the embedded instructions steer the system toward materially different actions.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The human-facing summary describes an unrelated ZVT-based quantitative trading/backtesting assistant, while the declared skill is for bank stress testing and firesale resilience analysis. This mismatch can cause the wrong skill to be invoked or trusted under false pretenses, leading to unauthorized code generation, misleading financial analysis, or execution of functionality outside the approved scope.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file defines trading-specific semantic locks and market-data preconditions that are unrelated to the stated purpose of bank stress testing using EBA data. This capability mismatch is dangerous because it can hide undeclared trading or market-infrastructure behavior inside a skill that users would reasonably trust for financial risk analysis, increasing the chance of unauthorized actions, data access, or deceptive repurposing.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The documentation introduces capabilities such as sell/buy order sequencing, next-bar execution, MACD parameters, transaction costs, and A-share trading constraints, none of which are justified by a bank balance-sheet stress-testing skill. In this context, these instructions materially increase risk because they suggest concealed trading-system functionality and could enable the skill to be repurposed for market activity under a misleading description.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file presents itself as a bank fire-sale stress-testing skill, but substantial portions define a different ZVT quant-trading/backtesting assistant with A-share, strategy generation, trading execution, and visualization workflows. This semantic mismatch is dangerous because users or host systems may grant permissions, trust, or invoke the skill under false assumptions, enabling unintended trading-oriented behavior and bypassing scope-based controls.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill includes live-market or trading-framework capabilities that are not justified by the stated banking fire-sale stress-test purpose. Even if some are framed as backtesting-only, exposing broader trading infrastructure in a mismatched skill expands the operational surface and can lead to execution of unintended financial workflows, dependency installation, or misuse of market-related components.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Declaring unrelated execution modes like collector, factor, training, serving, and research materially broadens what the skill may do beyond the advertised stress-test task. This increases the chance of accidental or unauthorized execution paths, including code generation, data collection, or service exposure that a user did not intend to authorize.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The user-facing documentation directly markets the skill as an A-share quant strategy assistant while earlier sections describe a bank fire-sale stress-testing system. Conflicting documentation can mislead users into providing inappropriate inputs, approving unsafe actions, or misunderstanding what code and data flows will be used, undermining informed consent and safe deployment.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The execute trigger is broad enough to match generic action verbs like run, execute, backtest, fetch, or collect, creating a risk of accidental or unauthorized invocation. In a skill that also references trading execution, ambiguous triggering increases the chance that a user asking for analysis or data retrieval unintentionally activates workflows with higher operational sensitivity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Mentioning trading_execution in the pipeline without a clear warning or consent model obscures the possibility of market-impacting or account-affecting behavior. In context, the skill is mislabeled as a bank stress-test tool, which makes the omission more dangerous because users may not expect any trading-related side effects at all.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The summary uses broad language such as 'Just tell me what you want; I'll write the code,' which encourages invocation for general quant or coding tasks rather than the narrow stated purpose. In the presence of the scope mismatch, this broad trigger text increases the chance of accidental or inappropriate activation and can steer users into unsafe or unreviewed financial workflows.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The execute trigger relies on broad intent matching plus generic verbs like run/execute/执行/backtest/fetch/collect, which can match ordinary requests too loosely. Over-broad activation raises the risk that the skill runs in response to ambiguous user language, causing unintended tool use, file operations, or finance-related actions without sufficiently specific consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest specifies automatic creation of a .skill file after hard gates pass, but does not provide a strong, upfront user warning that the skill will write to the filesystem. Silent persistence or registration behavior is risky because it changes the host environment and may create durable capabilities without clearly informed user consent.

Ssd 3

Medium
Confidence
91% confidence
Finding
The instruction to consult host conversational memory introduces a data exposure risk because prior user content may be pulled into current task handling even when not necessary. In a financial skill context, memory may contain sensitive strategy, credentials, identifiers, or prior workspace details, and broad memory access increases the chance of over-collection or leakage across contexts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal