ClawHub

Zipline Daily Backtest

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it needs review because its backtesting purpose is mixed with unrelated documentation deployment, ZVT, credential, memory, and persistence instructions.

Install only if you are comfortable reviewing each requested command, credential prompt, memory use, and output path. Use an isolated Python environment, prefer free/read-only data sources, avoid broker or paid-provider credentials unless explicitly needed, and do not run the documentation-deployment path without confirming the exact files and target.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill advertises stock backtesting and factor research, but the top use case switches to documentation deployment. This kind of capability drift can misroute user intent, cause the wrong workflow to activate, and undermine trust in what actions the skill will actually perform. In an agent setting, misleading use cases increase the chance of unintended execution paths.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The getting-started tutorial use case is inconsistent with a skill positioned as an execution-oriented backtesting tool. While less dangerous than deployment drift, it still broadens the skill's apparent scope and can cause incorrect invocation or user confusion about whether the skill teaches, executes, or modifies trading workflows. This ambiguity is risky in financial tooling because users may rely on the wrong assumptions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The human summary materially misrepresents the skill as a ZVT-based workflow for A-share/HK/crypto, while the metadata says this is a Zipline daily backtesting skill. This kind of capability/identity mismatch can mislead users and downstream agents into invoking the wrong libraries, data models, or market assumptions, causing unsafe code generation, incorrect financial analysis, or unintended external integrations.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The seed declares a Zipline backtest skill, but execution protocol, dependencies, preconditions, semantic locks, and guidance are largely wired to ZVT. This kind of capability/identity mismatch is dangerous because the agent may execute the wrong toolchain, apply inapplicable constraints, or request/install unintended packages, producing incorrect outputs and potentially unsafe code paths for finance workflows.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest advertises Zipline multi-market/factor-research support, while the human-facing text narrows the real workflow to ZVT-centric A-share usage and explicitly downplays US support. This misrepresentation can steer users into unsuitable markets or frameworks, yielding faulty financial analysis and incorrect expectations about coverage and correctness.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
Post-install messaging tells users the skill helps build A-share strategies with ZVT, directly contradicting the declared Zipline identity. In an agent setting, contradictory user-facing guidance can cause wrong execution-path selection, dependency installation, and trust in outputs from the wrong framework.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The human summary explicitly frames the skill as a ZVT A-share assistant rather than a Zipline backtesting skill. Because these summaries drive user intent routing and operator trust, the contradiction materially increases the chance of invoking the wrong framework and producing misleading backtest guidance.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are broad terms such as deploy, tutorial, learn, example, and simple order, which are likely to appear in ordinary conversation. Overbroad triggers can cause accidental skill activation, especially when combined with an agent that auto-routes requests, leading to unintended financial or file-system related actions. The mixed-domain use cases make this more dangerous because activation may invoke the wrong class of behavior entirely.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The execute trigger condition activates when user intent merely matches positive terms and includes a generic action verb like run, execute, 跑, or backtest. This is ambiguous enough to auto-fire on many benign requests, creating a substantial risk of unintended execution in a financial context where data collection, strategy runs, or order-generation logic may be initiated without clear user consent. Because the skill mentions trading execution in its pipeline, mistaken activation has elevated operational risk.

Ssd 3

Medium
Confidence
90% confidence
Finding
The artifact instructs agents to consult host conversational memory files and treat them as part of task execution context. That creates a path for unnecessary retrieval and reuse of prior conversation data, increasing risk of privacy leakage, cross-task contamination, and use of stale or unrelated sensitive information.

Ssd 3

Medium
Confidence
92% confidence
Finding
Mandating that all memory queries be attempted before proceeding semantically encourages broad collection of stored conversational context even when not needed for the current task. In a finance-related skill, that raises the risk of leaking prior sensitive requests, credentials, trading intents, or other confidential context into current execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal