ClawHub

Algo Builder

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed trading-research workflow that creates local research files and code templates, but it does not install executables, request credentials, or control broker accounts.

Install only if you want an agent to help structure trading research and generate local analysis artifacts. Use a dedicated workspace, review generated Python before running it, choose data providers deliberately, do not put broker credentials or API keys in generated notes, and treat any paper-trading or live-trading step as a manual financial decision with independent risk controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly says the skill generates code, gates users through a pipeline, and progresses toward paper trading and live deployment, but it provides no warning about file modifications, code generation side effects, or the financial risk of live trading. In an agent context, that can lead users to authorize execution or deployment steps without informed consent, increasing the chance of unintended file changes or real-money losses.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill repeatedly instructs the agent to create files in the workspace (for hypotheses, signals, strategies, results, and scripts) without first requiring user confirmation or clearly warning that local files will be modified. In an agent setting, implicit write behavior can lead to unwanted workspace changes, overwriting existing content, or creating misleading artifacts the user did not authorize.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The output structure explicitly includes a `fetch_data.py` script, which strongly implies network retrieval of market data, but the skill provides no warning that external network access may occur or that market/provider queries could transmit user prompts, symbols, or strategy interests to third parties. In a research workflow, that can create privacy, compliance, and operational risk, especially if data sources are unapproved or credentials are later added ad hoc.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal