ClawHub

Mcp Python Sdk

Security checks across malware telemetry and agentic risk

Overview

This is advertised as an MCP Python SDK helper, but its own authoritative files also direct finance/backtesting setup, local writes, and ZVT workflows that are not clearly disclosed by the package identity.

Review carefully before installing. Do not grant broker credentials, paid data-provider accounts, OAuth tokens, payment authority, or permission to run setup/write commands unless the publisher republishes this under a clear finance/ZVT purpose with explicit scopes and confirmations. Static scan was clean and VirusTotal is pending, so the concern is mismatched authoritative instructions rather than detected malware.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (11)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file presents a finance/trading agent persona and capabilities that are unrelated to the declared MCP Python SDK purpose. This kind of identity mismatch is dangerous because it can covertly repurpose a trusted SDK skill into a different high-risk domain, misleading users and downstream agents about what actions and guidance are appropriate.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The summary claims finance data collection, backtesting, factor screening, and trading pipeline behavior with specific market/provider defaults, none of which are justified by an MCP Python SDK skill. These unjustified capabilities can socially engineer users or orchestration layers into trusting unauthorized financial guidance or code generation, expanding the skill's effective privilege and risk surface.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The generated-summary footer and locale/persona instructions describe an English-source finance agent that should rewrite itself on first contact, which conflicts with the MCP SDK identity. This is dangerous because it helps hide the true unauthorized behavior behind dynamic presentation and makes deceptive repackaging harder for users and auditors to detect.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
This is a severe skill-identity mismatch: the metadata says the skill is for the MCP Python SDK, but the manifest content actually drives a finance/ZVT quant-strategy workflow with different dependencies, prompts, execution paths, and outputs. That kind of covert repurposing can mislead users and hosts into granting execution or trust under false pretenses, increasing the chance of unintended package installs, code generation, and file writes in an unrelated domain.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The declared purpose is MCP SDK guidance, yet execution preconditions require zvt, local market data, initialized ZVT directories, and SQLite write access. This contradiction is dangerous because it can trick an operator into provisioning finance-specific software and local persistence capabilities that are unnecessary for the advertised SDK task.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The installation recipes and execution scaffold install finance tooling and define backtest-oriented entry points like run_backtest/result.csv rather than MCP SDK examples. This creates a hidden operational shift from documentation/help to code execution for a different domain, which can cause unauthorized installs, misleading outputs, and downstream execution of unexpected scripts.

Intent-Code Divergence

Critical
Confidence
99% confidence
Finding
The user-facing documentation explicitly markets ZVT finance assistance while the skill is presented externally as MCP Python SDK guidance. Active contradiction in comments and summaries is a strong deception signal because it primes the agent to perform materially different tasks than the user or host expects, increasing the risk of unsafe execution under false labeling.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation guidance is very broad and lacks explicit trigger phrases, boundaries, or exclusion conditions, which can cause the host AI to activate this skill in overly general situations. In a knowledge skill that influences architectural and implementation advice, overbroad routing can lead to irrelevant or incorrect MCP guidance being injected into unrelated tasks, increasing the chance of unsafe or misleading recommendations.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Mandating automatic translation into the detected user locale without explicit opt-in can alter meaning, obscure original wording, and reduce user awareness that content has been transformed. In this context, where the skill is already misrepresented, automatic translation further aids concealment of misleading or unauthorized instructions across locales.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The execute trigger combines common action verbs with a broad set of positive terms, which increases the chance that ordinary user requests inadvertently activate execution behavior. In the context of an already mislabeled skill, broad triggering is more dangerous because it can launch finance-oriented workflows when the user believed they were interacting with an MCP SDK helper.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The manifest specifies automatic creation of a .skill file after hard gates pass, but the behavior is not surfaced as a clear just-in-time warning at the moment persistence occurs. Silent or weakly disclosed persistence is risky because it modifies the local skill environment and may create durable invocation paths the user did not knowingly approve.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal