ClawHub

portfolio management

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only portfolio analysis skill that gives high-stakes financial guidance, but its behavior is disclosed, purpose-aligned, and shows no hidden code, credential use, trading authority, or persistence.

Install only if you are comfortable letting the agent process portfolio screenshots and search public market data. Redact account identifiers and unnecessary personal details, verify any market data independently, and do not treat buy/sell, target-price, or position-size outputs as personalized financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger description is broad enough to activate on many generic investing or portfolio-related requests, which can cause the skill to intercept conversations beyond the user’s explicit intent. In a financial-advice context, over-triggering is more dangerous because it may lead the agent to provide unsolicited or overly specific investment guidance based on incomplete context, including screenshot processing and web lookups the user did not clearly request.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill metadata and content prescribe Chinese-language behavior without checking the user’s language preference, which can override user expectations and reduce transparency around financial recommendations. In a portfolio-management skill, forced language behavior is riskier because misunderstandings about price levels, stop-losses, or position sizing can directly affect user decisions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide gives concrete stock recommendations, entry ranges, target prices, stop-losses, and position sizing, but does not include a clear warning that outputs are informational only and may lead to financial loss. In an investment-oriented skill, users are likely to act on this guidance directly, so the absence of suitability, risk, and non-advisory disclaimers materially increases the chance of harmful decisions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal