ClawHub
Back to skill

Security audit

Czsc Chan Theory

Security checks across malware telemetry and agentic risk

Overview

It looks like a finance research helper, but it covers broader data, credential, upload, and persistent setup behavior than its narrow CZSC listing suggests.

Install only if you are comfortable with an agent generating and running finance data/backtest code, installing unpinned Python packages in an isolated environment, using external data providers, and writing local ZVT data plus possible saved skill files. Do not provide paid-provider, broker, or Feishu credentials unless you explicitly intend that integration and can review the generated code and destinations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The human summary materially expands the skill's apparent scope from CZSC Chan-theory analysis to a broader ZVT quant platform that can fetch data, write code, and run end-to-end backtests. This can mislead users and orchestrators into invoking the skill for capabilities it may not safely or actually implement, increasing the chance of inappropriate tool use, over-privileged execution, or unsafe downstream code generation.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The summary claims support for HK and crypto markets despite the manifest describing a narrower A-share-oriented CZSC analysis/backtesting tool. Even if partially true in the underlying ecosystem, this mismatch can cause users to rely on unsupported market coverage, producing erroneous analyses or triggering workflows outside the validated skill boundary.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The seed materially exceeds the stated skill purpose. A skill presented as a CZSC Chan-theory analysis tool actually embeds broad ZVT-based data collection, execution, persistence, reporting, and live-trading workflow logic, which violates least-privilege and can cause the host to invoke capabilities the user did not intend to authorize. In an agent setting, this scope drift is dangerous because users and policy layers may trust the manifest while the actual artifact enables much broader behavior.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Feishu upload and token-management capability is unrelated to the advertised Chan-theory analysis purpose, yet it introduces external data egress and credential-handling behavior. Even if intended for convenience, unnecessary outbound integration increases attack surface and can enable silent exfiltration of reports, data, or artifacts from the workspace.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Bundling Sphinx documentation configuration into a trading-analysis skill is a genuine scope-integrity issue. While not directly dangerous like credential use or code execution, it weakens trust boundaries and suggests the skill can accrete unrelated capabilities that operators may not review under the expected threat model.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
Human-facing content says the tool helps build quant strategies 'with ZVT', which conflicts with the skill branding as a CZSC Chan-theory tool. This mismatch can mislead users into authorizing or trusting a different execution stack than advertised, especially because ZVT-oriented workflows include broader data and trading operations.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The human summary advertises expanded markets and end-to-end pipelines beyond the manifest, including HK, crypto, and broad ZVT workflows. This increases the chance of user confusion and unintended invocation of capabilities outside the expected A-share/CZSC analysis scope, making policy enforcement and consent less reliable.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The execute trigger activates when broad intent terms match and the user uses common action verbs like run, execute, fetch, collect, or their Chinese equivalents. In a finance/trading skill, this can cause the agent to enter an execution path from ordinary conversational requests, increasing the chance of unintended data operations, backtests, or downstream trading-related actions without sufficiently explicit confirmation.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The listed triggers include generic terms such as documentation, configuration, benchmark, performance, speed, volatility, classification, and signal, which commonly appear in benign discussion. Because this skill operates in a financial analysis context with execution-capable routing, these broad keywords make accidental activation and context misclassification more likely, especially when paired with permissive execute logic.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Phrases like 'Just tell me what you want; I'll write the code' are overly broad and encourage open-ended invocation beyond the declared CZSC analysis scope. In agent environments, this can lead to accidental routing of unrelated tasks to the skill, causing unintended actions, unreviewed code generation, or misuse of connected data/backtesting components.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The execute trigger matches on broad generic verbs and common terms, which raises the risk of accidental or overly broad activation. In an agent environment, loose intent routing can cause execution of install, fetch, or backtest flows when the user only intended to discuss or ask questions, creating unwanted side effects.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.