ClawHub

基于 Brent Penfold《交易圣经》框架,为股票交易生成完整的交易预案(Setup)和交易计划(Plan)。当用户询问「帮我制定交易计划」、「帮我做交易预案」、「XX股票怎么买」、「帮我规划一下XX股票的入场和止损」时使用此技能。触发前提:用户明确指定了具体股票代码或名称

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed stock trading-plan skill that can produce actionable financial guidance, but its behavior is coherent with its stated purpose and shows no hidden persistence, trade execution, data theft, or destructive actions.

Install only if you want a skill that produces actionable stock trading plans. Treat its output as research, not personalized financial advice; verify market data, review the referenced Longbridge and WenCai tools, and decide independently before risking money.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger description includes broad natural-language phrases such as 'XX股票怎么买' and '帮我规划一下XX股票的入场和止损', which are likely to overlap with ordinary user questions and can cause the skill to activate in contexts where the user did not explicitly request a full trading-plan workflow. In a finance skill that outputs concrete entry, stop-loss, and position-sizing instructions, overbroad triggering materially increases the chance of unsolicited high-risk financial guidance.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill generates specific buy/sell prices, stop-losses, targets, and position sizes, but does not present a clear user-facing warning that this is not personalized investment advice and that trading carries substantial risk. In context, the skill is not merely educational analysis; it operationalizes trades, which makes omission of suitability, risk, and advisory disclaimers more dangerous because users may rely on the output as actionable financial direction.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal