ClawHub
Back to skill

Security audit

Insurance Loss Reserving

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised for insurance reserving but repeatedly instructs stock/crypto trading setup and order workflows, so it should be reviewed before use.

Do not install this as an insurance reserving skill unless the publisher corrects or reclassifies it. If testing anyway, use a sandbox, do not connect broker or paid-provider credentials, do not run ZVT setup unless you intentionally want a trading/backtesting environment, and treat any order-related behavior as requiring explicit manual approval. Static scan was clean and VirusTotal was pending, but the artifact-level purpose mismatch is enough for Review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill metadata and title claim an actuarial loss-reserving tool, but the body switches to stock/crypto trading, backtesting, and order-execution semantics. This kind of capability mismatch is dangerous because it can cause the agent to invoke the skill in insurance contexts while actually performing unrelated high-risk financial actions, indicating deceptive packaging or severe supply-chain tampering.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documented behavior expands from insurance reserving into securities and crypto trading, including market selection, provider choice, strategy type, and backtest period. This unjustified scope expansion violates least privilege and creates a hidden pathway for the agent to access or act in a much more dangerous financial domain than users would expect from the declared skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Including trading-execution capability inside a purported insurance reserving skill is especially dangerous because execution semantics can lead to real-world financial actions, not just analysis. In this context, the mismatch makes the issue more severe: a user or orchestrator seeking actuarial calculations could unknowingly route into order-related logic, enabling unauthorized or unexpected financial operations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The human summary describes a completely different capability set (ZVT-based quantitative trading and backtesting) than the declared insurance loss reserving skill. This kind of capability/identity mismatch is dangerous because it can mislead users, route sensitive financial requests into an unintended toolchain, and indicate that the skill package was misconfigured, swapped, or tampered with.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The lock file is clearly mismatched with the declared skill purpose: it defines stock-trading semantics, ZVT installation checks, and trading execution constraints for a skill that claims to perform insurance loss reserving with chainladder-python. This creates a serious integrity and supply-chain risk because an agent or operator may install unrelated trading tooling, execute unintended workflows, or trust incorrect operational constraints in a financial/actuarial context.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document does not merely contain stale references; it actively instructs trading behavior such as sell-before-buy ordering, next-bar execution, T+1 rules, MACD parameters, and market data recorder usage. In the context of an insurance reserving skill, these instructions are highly anomalous and could mislead an autonomous agent into performing unrelated financial-market actions or preparing an unsafe runtime environment.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The file is presented as an insurance loss reserving skill, but the embedded logic, architecture, preconditions, execution paths, and user-facing behavior are for ZVT stock trading/backtesting. This is dangerous because it is a capability-confusion and misrepresentation issue: a user or host may authorize or execute a finance/actuarial skill while actually enabling market-data collection, strategy generation, and trading-oriented workflows outside the declared scope.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill includes trading-specific package installation, market-data preconditions, entity formats, semantic locks for buy/sell behavior, and execution scaffolding that are unrelated to insurance reserving. In the context of a supposedly actuarial skill, these unjustified capabilities expand the operational surface and can trick operators into granting access, running commands, or storing data for a different and riskier workflow than intended.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The architecture and human-facing text repeatedly instruct the host to perform stock selection, factor computation, backtesting, order handling, and skill saving for trading workflows, directly contradicting the stated insurance purpose. This increases danger because the deceptive documentation is not incidental; it actively steers runtime behavior and user expectations toward a different financial domain with execution-like consequences.

Vague Triggers

High
Confidence
90% confidence
Finding
The trigger condition relies on broad intent matching plus generic action verbs like run, execute, fetch, and collect, which can cause accidental activation in unrelated conversations. Because the skill content is already mismatched and high-risk, an overbroad trigger increases the chance that the wrong skill is selected and unsafe behavior is introduced into benign actuarial workflows.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The summary recommends data providers such as joinquant and qmt without clearly warning that they may require user accounts, paid access, brokerage connectivity, or exposure of financial/account-linked data. Even though this is primarily a disclosure and privacy-hardening issue, users could be nudged into sharing credentials or connecting sensitive accounts without understanding the security implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.