Back to skill

Security audit

TickDB Real-time Market Data API

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only market-data skill with disclosed read-only API calls and no local execution, persistence, or destructive behavior.

Install only if you are comfortable with market symbols, date ranges, and related query parameters being sent to TickDB.ai, and with a first-use version check to ClawHub.ai. Do not paste a paid TickDB API key unless you trust the publisher and the runtime environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill mandates an automatic version-check request to a third-party service (clawhub.ai) on every first activation in a conversation, even though this is not required to fulfill the market-data function. This creates unnecessary outbound network access and metadata leakage about skill usage, and expands the trust boundary to an unrelated service without explicit user consent.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger scope is very broad for common finance-related terms such as price, charts, market cap, PE, and trading calendar, making accidental invocation likely. In practice, this can cause unintended external API calls and unnecessary transmission of user queries to a third-party market-data provider.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to automatically obtain a trial API key and then call external APIs whenever the user asks for supported market data, but it does not require a clear user-facing warning that query details will be sent off-platform. This weakens informed consent and can expose sensitive watchlists, symbols, or trading interests to the vendor.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The version-check logic performs automatic network access to clawhub.ai without a clear user warning, even though it is ancillary to the skill's core purpose. This creates avoidable telemetry leakage and dependence on another remote service during normal use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.