ClawHub
Back to skill

Security audit

Value Nvest Perspective

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only stock and options analysis skill, with visible external market-data setup steps and no evidence of trade execution or hidden data access.

Use this as market research support only, not as personalized financial advice. Verify prices, option-chain data, risk tolerance, and suitability independently before trading. Only run the optional npx install or Claude Longbridge MCP setup if you trust the source and are comfortable connecting that external market-data provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to modify the user's Claude Code MCP configuration by adding a Longbridge server, which exceeds the stated purpose of providing stock-analysis guidance. This expands the agent's operational scope into environment reconfiguration, creating risk of unauthorized tool enablement, unintended external connections, and user-environment changes without explicit, task-specific consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly positions the skill to advise on buying, holding, rotating, and using long calls on US equities, but it does not include a clear disclaimer that outputs are informational only and not financial advice. In a capital-allocation context, users may over-rely on the skill's recommendations and take risky options positions without understanding suitability, loss potential, or the absence of fiduciary/regulatory safeguards.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.