ClawHub

Trading Agents Cn

Security checks across malware telemetry and agentic risk

Overview

This finance skill is mostly documented as a stock analysis/backtesting helper, but it also includes under-scoped internal-message crawling, persistent storage, and broad execution triggers that need review before installation.

Install only if you intend to review and control the full capability set, not just stock backtesting. Use an isolated Python environment, pin dependencies, provide only scoped credentials, avoid broker-connected or live-trading use unless independently authorized, and do not run internal-message crawlers unless the data source, authorization, storage location, retention, and deletion process are explicit.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documented use cases materially expand the skill from stock analysis into social-media/internal-message crawling and message-database ingestion. That scope expansion can cause operators to deploy the skill with broader data-collection and surveillance capabilities than the manifest suggests, undermining informed consent, review, and least-privilege assumptions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The seed's declared purpose is A-share analysis/backtesting, but it also provisions a broad web API stack, async queuing, Redis pub/sub, MongoDB persistence, and crawler infrastructure. This scope expansion materially increases attack surface and privilege requirements, making the skill capable of networked data collection and service orchestration beyond what a user would reasonably expect from the manifest.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The capability to crawl 'internal messages from corporate sources' is especially sensitive because it implies collection of non-public or proprietary communications. In a trading-analysis context, this creates serious risks of unauthorized data acquisition, insider-information misuse, and regulatory exposure far beyond normal market-data research.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Broad social-media and message-crawling automation is not clearly justified by the advertised core functions of stock comparison, backtesting, and factor research. That mismatch matters because automated scraping/scheduling introduces persistent network access, collection of third-party content, and ongoing operational behavior that users may not anticipate from a research skill.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The seed contains conflicting claims: some sections say it is a pure backtesting/research framework, while others repeatedly reference live-trading and order-execution contexts. This inconsistency is dangerous because operators may apply the skill in live or quasi-live settings under false assumptions about safeguards, suitability, and regulatory boundaries.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The execute trigger is defined by broad intent-term matching plus common action verbs like run/execute/执行/backtest/fetch/collect, which can cause the skill to activate on ordinary analytical or exploratory user requests rather than explicit consent to perform the workflow. In a trading/backtesting skill, unintended activation is more dangerous because it can initiate data collection, signal generation, or downstream trading-oriented steps with financial consequences or misleading outputs.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The listed trigger phrases such as batch analysis, custom analysis, personalized, multiple stocks, and comparison report are generic enough to overlap with normal finance conversations, making accidental routing likely. In this skill's context, those phrases map into a multi-stage trading analysis pipeline, so overbroad matching can unintentionally expose users to execution-oriented behavior or outputs they did not clearly request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal