ClawHub

Stock Market Intelligence

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent market-data API helper, with normal but sensitive API-key and webhook setup that users should handle carefully.

Install only if you intend to use TraderHC's API. Treat AGENTHC_API_KEY as a secret, avoid running setup in shared or logged terminals, rotate the key if it is exposed, review any paid or Lightning-payment flows before automation, and configure webhooks only to destinations you control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup flow POSTs identifying data to an external service and captures the returned API key directly into an environment variable without any warning about privacy, logging, shell history, or secret exposure. In agent environments, such credentials may be surfaced in logs, subprocess traces, or inherited by unrelated commands.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The webhook subscription example instructs users to register a callback URL with an external service but does not warn that event payloads, endpoint metadata, and integration identifiers will be pushed to that URL. Misconfigured or third-party webhook endpoints could expose operational details or create an unintended data-sharing channel.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script prints the newly issued API key directly to stdout and includes copy-paste export commands containing the secret. In agent, CI, or logged terminal contexts, stdout may be captured in logs, transcripts, or tool outputs, causing credential exposure to unintended parties.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal