ClawHub
Back to skill

Security audit

Vectorbt Vectorized

Security checks across malware telemetry and agentic risk

Overview

This finance skill mixes VectorBT, ZVT, live signaling, documentation automation, credentialed providers, and automatic saved-skill creation in a way users should review before installing.

Install only if you deliberately want a broad finance automation skill, not just VectorBT backtesting. Use a virtual environment, approve every install or generated command, avoid broker credentials unless necessary, and opt out of saved-skill creation unless you explicitly want persistent new skill files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill manifest positions this as a finance backtesting/factor-research tool, but the listed use cases include unrelated documentation and MkDocs automation. This scope drift can cause an agent to invoke the skill in unintended contexts, expanding access and behavior beyond the declared domain and weakening operator expectations and policy controls.

Intent-Code Divergence

Low
Confidence
83% confidence
Finding
The pipeline includes trading_execution even though the manifest markets the skill as a backtesting and factor-research tool. In an agent setting, this mismatch is risky because users or orchestrators may assume analysis-only behavior while the workflow suggests operational trade actions, raising the chance of unintended real-world execution.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The human summary materially conflicts with the declared skill identity by presenting the tool as a ZVT-based A-share assistant rather than a VectorBT-based backtesting skill. This kind of capability and framework mismatch can mislead users and downstream agents into invoking the wrong libraries, assumptions, data sources, or workflows, increasing the chance of unsafe code generation, inappropriate permissions use, or execution in an unintended environment.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The use cases include documentation-generation tasks that are unrelated to the stated purpose of vectorized backtesting and factor research. Over-broad or mismatched task descriptions can cause the skill to be routed to contexts it was not designed for, weakening trust boundaries and making it harder for users or automated systems to understand what actions are appropriate.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The seed file materially mismatches the advertised skill identity: the metadata says this is a VectorBT vectorized backtesting tool, but the body defines a ZVT/OpenClaw agent with installation, execution, validation, and persistence workflows. This kind of capability/identity drift is dangerous because users or downstream policy engines may grant trust, permissions, or execution based on the benign-looking manifest while the actual artifact performs a broader and different set of actions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The artifact advertises finance/backtesting functionality but includes documentation-generation and MkDocs navigation update use cases unrelated to that scope. Hidden or out-of-scope capabilities increase attack surface and make intent routing easier to abuse, because a caller can trigger non-finance operations under the cover of a finance-labeled skill.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The seed routes live Telegram signal bot behavior even though the manifest frames the artifact as a backtesting/factor research tool. Expanding from offline research into live or near-live signaling changes the risk profile substantially, because it can influence real trading actions and external communications while bypassing user expectations set by the manifest.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Automatic documentation generation is context-inappropriate for a finance backtesting skill and indicates unnecessary capability breadth. Even if not directly harmful by itself, unrelated automation paths create confusion, broaden reachable behaviors, and can be combined with routing ambiguity to make the agent act outside its expected trust boundary.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill crystallization logic persists new .skill files after execution, which is unrelated to the declared VectorBT research purpose and introduces a persistence mechanism. Persistence is security-relevant because it can create durable state or secondary executable artifacts that outlive the original interaction and may be invoked later under a misleading name.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The user-facing summary states the skill helps build A-share strategies with ZVT, directly contradicting the manifest's VectorBT identity. This is a high-risk trust-boundary issue because users and reviewers may rely on top-level metadata while the actual prompts and behavior steer toward a different framework, dependency set, and execution model.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The human summary tagline explicitly describes a ZVT A-share workflow, contradicting the stated VectorBT-based identity. Such contradictory branding is dangerous because it conceals the real dependency and behavior surface, undermining review, approval, and user consent for the actions the skill may take.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The summary claims automatic fetching of ZVT-specific semantic locks, defaults, and entity-ID conventions, which conflicts with the VectorBT framing and exposes hidden implementation assumptions. This inconsistency matters because it can lead operators to trust incompatible safety or execution guarantees, and it signals that the artifact's real behavior differs from its declared role.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger terms are broad and include generic words such as api, documentation, and generate, which can match many unrelated user requests. This increases the likelihood of accidental skill activation, causing the agent to load or apply a finance-oriented skill outside its intended context and potentially perform inappropriate actions or expose internal capabilities.

Vague Triggers

High
Confidence
97% confidence
Finding
The global execute trigger activates when intent roughly matches configured terms and the user uses common action verbs like run, execute, 跑, 执行, backtest, fetch, or collect. This is dangerously ambiguous in an autonomous agent environment because it can cause broad, unintended invocation and kick off data collection or trading-related flows without sufficiently specific confirmation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The execute trigger uses broad generic verbs like run/execute/backtest/fetch/collect, making intent matching overly permissive. In a skill that already contains mixed and mismatched capabilities, broad triggers increase the likelihood of accidental or adversarial activation of workflows the user did not specifically request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal