ClawHub
Back to skill

Security audit

Climate Esg Investing

Security checks across malware telemetry and agentic risk

Overview

This looks like a finance analysis skill, but it needs review because it expands from ESG research into broader quant strategy, backtesting, broker-adjacent workflows, and automatic skill-file creation.

Install only if you want a broad finance/ZVT coding and backtesting assistant, not just ESG factor analysis. Keep it in research or paper/backtest mode unless you have separately reviewed any broker integration, credentials, order permissions, budget limits, and confirmation flow. Use a virtual environment, pin and verify external packages, and watch for generated .skill files that may affect future invocations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest frames the skill as ESG/Fama-French analysis, but the documented pipeline explicitly includes trading_execution. That scope expansion is dangerous because a user or orchestrator may invoke the skill expecting passive analysis while the skill is designed to progress into potentially market-impacting actions without a clear capability boundary or safety gate.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documentation asks for strategy type, backtest period, and target entities, introducing concrete trading and backtesting behavior beyond the stated ESG factor-analysis purpose. This mismatch can lead downstream systems or users to authorize a skill under false assumptions, increasing the risk of unintended financial actions or misuse of a broader-than-advertised capability.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill is branded as climate ESG investing, but the prompts ask users to choose unrelated technical trading strategies such as MACD and MA crossover. This creates deceptive scope drift: users may trust the skill as an ESG analytics tool while being steered into speculative trading workflows that carry different risks and governance expectations.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The human summary materially expands the skill from a climate-ESG/Fama-French analysis tool into a general ZVT quant trading and backtesting assistant. This scope mismatch can mislead users and orchestrators into invoking capabilities far beyond the declared purpose, increasing the chance of unintended code generation, market-data operations, or strategy execution in contexts that expected only bounded ESG analytics.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation presents the skill as climate-ESG/Fama-French-oriented, but the file content advertises unrelated technical-trading workflows and ZVT backtesting features. This inconsistency undermines trust boundaries and may cause downstream systems or users to rely on undocumented behavior, which is dangerous in financial-agent settings where tool scope should be precise and auditable.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The seed materially exceeds the advertised climate/ESG analysis scope and embeds a broad ZVT quant-trading and backtesting framework with strategy-generation semantics. This is dangerous because users or host systems may invoke capabilities they did not consent to, increasing the chance of unintended code generation, trading-oriented behavior, or misuse under a misleading skill identity.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The user-facing documentation advertises A-share quant strategy building, MACD backtests, and general ZVT workflows, which contradict the stated ESG factor-analysis purpose. This mismatch is dangerous because it can socially engineer operators into trusting or invoking broader financial automation than expected, defeating least-privilege and safe-scope assumptions.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The human summary further reinforces the scope mismatch by promoting generic ZVT quant strategy, MACD backtests, target selection, and index collection rather than a focused climate ESG analysis workflow. In context, this increases danger because summaries are often what users trust first, making accidental invocation and over-permissioned use more likely.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Embedding trading-execution semantics and strategy-output validation in a climate ESG analysis skill introduces capabilities not justified by the declared purpose. This is dangerous because it normalizes progression from research analysis into execution-oriented workflows, raising the risk of unintended trading automation or misleading output validation centered on backtests rather than analysis integrity.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The scaffold and acceptance gates are centered on generating backtest scripts and producing result.csv outputs, which do not align with the advertised ESG research function. While less directly dangerous than explicit execution semantics, this still steers the host toward code generation and execution patterns outside the user-expected scope.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The execute trigger activates when intent roughly matches listed terms and the user uses generic action verbs like run, execute, fetch, or backtest. Such a broad trigger can cause unintended activation from ordinary analytical conversations, which is especially dangerous in a skill that references trading execution and order semantics.

Vague Triggers

Low
Confidence
82% confidence
Finding
Generic trigger phrases like factor correlation or statistical tests may overlap with common finance or research requests, causing the skill to activate outside its intended context. In a skill whose docs mention trading and backtesting, accidental activation increases the chance of unauthorized data operations or progression into higher-risk workflows.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The pipeline includes trading_execution, but the skill does not warn that actions may be real, financially impactful, or connected to broker/exchange systems. Missing risk disclosure is dangerous because users may treat outputs as harmless analysis and unknowingly authorize or rely on actions with direct monetary consequences.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The phrase 'Just tell me what you want; I'll write the code' is overly broad and encourages open-ended use beyond the skill's stated domain. In an agent environment, broad invocation language can trigger the skill for requests it should not handle, leading to unintended code generation or activation outside the reviewed ESG-analysis use case.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The execute trigger matches broad action verbs like run/execute combined with common positive terms, making accidental skill invocation plausible. In a skill that already has scope drift toward broader trading/backtesting behavior, overbroad triggering is more dangerous because it lowers the bar for unintended activation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
An overly broad sample trigger overlaps with ordinary language, which can cause the host to route benign conversation into this skill unintentionally. Given the skill's mismatched and expanded capabilities, accidental routing increases the likelihood of unauthorized or confusing behavior.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.