ClawHub
Back to skill

Security audit

Tensortrade Rl Env

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a finance/backtesting helper, but its advertised TensorTrade identity conflicts with ZVT-focused setup, installation, and user guidance.

Review this carefully before installing. Treat it as an inconsistent ZVT/TensorTrade finance skill, use an isolated Python environment, require explicit confirmation before any package install or command execution, and do not provide broker, wallet, or paid data-provider credentials unless you have reviewed the generated code and intended data paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The human summary materially misrepresents the skill’s purpose by describing a ZVT-based A-share quant workflow instead of the declared TensorTrade multi-market RL environment. This can mislead users and downstream agents into invoking the skill with the wrong assumptions, causing unsafe tool usage, incorrect financial analysis, or execution of unintended code paths and integrations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The seed manifest is materially inconsistent with the declared skill identity: it presents a TensorTrade RL environment skill, but the embedded behavior, preconditions, pipelines, and operational guidance are for a ZVT A-share backtesting skill. This is dangerous because operators and downstream agents may invoke, install, or trust the skill under false assumptions, causing capability confusion, incorrect code generation, and unintended execution of the wrong financial workflow.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The install and execution flow provisions ZVT packages and ZVT-oriented workflows despite the skill claiming to provide TensorTrade RL environment construction. This mismatch can cause unauthorized or surprising environment modification and leads users to run the wrong tooling stack, especially in financial contexts where framework semantics and risk controls differ significantly.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
User-facing documentation explicitly tells users the skill builds A-share strategies with ZVT, directly contradicting the advertised TensorTrade identity. This is dangerous because it socially engineers trust in a different toolchain than the one the user selected, increasing the chance of mistaken execution, wrong expectations, and unsafe financial outputs generated under a false label.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The post-install notice positions the skill as a ZVT A-share workflow after installation, which confirms that the actual operator experience diverges from the declared TensorTrade RL skill. This is particularly risky because the contradiction appears after system modification, meaning users may only discover the mismatch after packages are installed or the workspace has been altered.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger design is broad enough to activate on common finance-related words such as documentation, portfolio, visualization, or generic action verbs, which can cause the skill to run when the user did not explicitly request this capability. In an agent setting, unintended invocation can lead to incorrect tool selection, unnecessary processing, or execution of trading/backtesting workflows in the wrong context.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The execute trigger relies on unspecified logic such as intent_router matching and a broad set of action verbs, making activation behavior non-deterministic and difficult to audit. Ambiguous routing in an autonomous agent increases the chance of accidental execution, especially for a skill that can influence financial analysis and trading-related operations.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation trigger uses broad intent matching plus generic action verbs, making accidental invocation plausible during ordinary conversation. In a skill that can install packages, write files, and steer execution paths, overly permissive triggering increases the chance of unintended system changes without sufficiently clear user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Several use-case trigger lists contain vague, common terms such as 'training', 'simple', or 'profit', which are not specific enough to safely distinguish intent. In combination with automatic execution logic, this can route users into the wrong financial workflow or trigger installs and code generation from ambiguous requests.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest allows automatic package installation and later writes skill files, but it does not provide an up-front, clear activation-time warning that the system will modify the environment and persist artifacts. This weakens informed consent and can lead to silent workspace or host changes, especially harmful in shared or production-adjacent environments.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.