ClawHub

Robo Advisor Python

Security checks across malware telemetry and agentic risk

Overview

This finance skill is not clearly malicious, but it mixes live-trading authority with inconsistent backtesting-focused descriptions and weak user-facing safety boundaries.

Install only after treating it as a review-needed finance tool. Use an isolated Python environment and dedicated ZVT_HOME, pin dependencies, never paste broker or data-provider credentials into prompts, prefer paper trading or backtests, and require explicit order-by-order confirmation before any broker-connected action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The human summary materially conflicts with the declared skill purpose: instead of portfolio rebalancing and trade execution, it advertises quant research, data fetching, and backtesting workflows. This kind of scope mismatch is dangerous because it can cause the agent to invoke or recommend the skill in the wrong context, potentially leading to unauthorized financial analysis or execution-adjacent actions under misleading expectations.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata advertises a multi-market robo-advisor, but the actual user-facing summary is centered on A-share/ZVT quant workflows and even warns that US support is half-baked. This capability mismatch is dangerous because users may invoke the skill for live or semi-live portfolio actions under false assumptions about broker, market, and compliance coverage, leading to unsuitable trading decisions or failed executions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest claims tax/fee-aware rebalancing and minimum trade-size intelligence, but the exposed capability summary instead markets generic quant backtesting. In a finance skill, this omission can cause users to rely on protections they believe exist, while the interaction surface does not foreground them or constrain use accordingly.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill bundles broad quant research, factor generation, training, and backtesting scaffolds that go beyond the declared robo-advisor rebalancing purpose. Excess capability increases misuse risk and widens the attack surface, especially when paired with execution and brokerage integration in the same skill definition.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The installation and human-summary text directly contradict the manifest by presenting the skill as an A-share quant strategy builder rather than an automated robo-advisor rebalancer. This kind of identity confusion is dangerous in financial automation because users cannot accurately understand what actions the skill may take or what controls actually apply.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The execute trigger is defined with broad intent matching plus generic action verbs like 'run', 'execute', 'fetch', and 'collect', which can cause accidental invocation outside a clearly confirmed trading context. In a live trading or portfolio-rebalancing skill, unintended activation is dangerous because it may kick off data collection, backtesting, or even trading execution workflows without explicit user confirmation.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises automated portfolio rebalancing and trade execution but does not present a prominent warning that actions may result in live order placement, transaction costs, slippage, taxes, or financial loss. Because this is a finance/trading skill, missing safety disclosure materially increases the chance that a user invokes the skill without understanding that it can affect real assets.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The summary uses broad, catch-all phrasing such as 'Just tell me what you want; I'll write the code,' which can match many generic investing or coding requests without sufficient user specificity. In a financial skill, overbroad invocation increases the chance of accidental activation, causing the system to route users into code generation or strategy workflows they did not explicitly request.

Vague Triggers

High
Confidence
96% confidence
Finding
The execute trigger activates on broad positive terms plus generic verbs like run, execute, backtest, fetch, collect, making accidental or ambiguous activation more likely. In a skill that includes trading and execution logic, loose triggering can cause the agent to enter an operational path without sufficiently specific user intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The post-install prompt uses an overly broad everyday-style invocation hint, which increases the chance that ordinary conversation is interpreted as a skill trigger. In a finance/trading context, even partial activation of execution-related flows is riskier than in a benign informational skill.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill description discusses order placement via Tradier and trading execution but does not clearly warn users about live trading, broker-side effects, or irreversible financial consequences. In this context, lack of a prominent risk disclosure materially increases the chance of users authorizing actions they do not realize may affect real accounts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest references credentialed providers and environment variables, but there is no corresponding user-facing privacy or secret-handling notice. This is risky because users may be nudged to provide credentials without understanding storage, scope, or exposure risks, especially in an execution-oriented financial skill.

Ssd 4

Medium
Confidence
83% confidence
Finding
The state machine requires memory interrogation before collecting required user inputs, normalizing background data gathering before necessity is established. In a finance skill, this is more dangerous because account, market, and strategy context can be sensitive, and the flow may encourage unnecessary collection or reuse of prior data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal