ClawHub
Back to skill

Security audit

Us Stocks Analysis

Security checks across malware telemetry and agentic risk

Overview

This is a read-only stock-analysis skill that uses a SentiSense API key and does not install code, trade, or modify accounts.

Install only if you are comfortable providing a SentiSense API key and sending ticker/API queries to SentiSense. Treat results as educational market context rather than buy/sell instructions, and monitor any free or paid API quota usage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Anti-Refusal Statement

High
Category
Anti-Refusal
Content
- **Wrap vs flat varies by endpoint.** Read FLAT (no `.data`): `price`, `prices`, `chart`, `popular`, `market-mood`, `stocks/{T}/profile`, `descriptions`, and `sentiment` (bare array). `institutional/quarters` is a bare array (`[0].reportDate` is latest). These ARE wrapped in `{ isPreview, previewReason, data }` (read `.data`): `insider/*`, `analyst/*`, `insights/*`, `politicians/*`, `institutional/holders`. When unsure, accept both: `Array.isArray(raw) ? raw : (raw?.data ?? raw)`.
- **Sentiment is polarity.** The sentiment metric is a value in `[-1.0, 1.0]` where the sign is the direction (negative is bearish and real). Represent polarity; do not force it onto a 0-100 scale. The separate SentiSense Score metric is unbounded; report it as-is.
- **Always fetch quarters first** before `/institutional/*` calls. Never hardcode `reportDate`.
- **Free tier is real.** A user without PRO still gets back `data` (just truncated). Synthesize from what you get; don't refuse the workflow.
- **Don't hallucinate endpoints.** No options flow, no dark pool, no `/congress` (it's `/politicians`).
- **Be brief.** Users asked for synthesis, not a data dump. Five lines beats fifty.
Confidence
85% confidence
Finding
don't refuse

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal