ClawHub

Trading Brain

Security checks across malware telemetry and agentic risk

Overview

This is a coherent trading-assistant skill, but it gives broad influence over real-money trading workflows and local brokerage-related files without clear consent boundaries.

Install only if you intentionally want this skill to influence trading research. Treat it as decision support, require explicit confirmation before any trade or brokerage action, use read-only credentials where possible, and review any local files it reads or writes because they may contain sensitive trading strategy and account context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill recommends invocation at the start of essentially any trading analysis, decision, research, or finance workflow, which is overly broad for a high-impact domain involving financial decisions. This increases the chance the agent will automatically load opinionated strategy and action-oriented guidance in contexts where the user did not explicitly request it, potentially biasing trading decisions or causing unintended downstream actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to document every trade to a local file, but it does not require explicit user consent or provide a warning that user data will be modified. In an agent setting, silent writes to local memory or notes can create integrity, privacy, and auditability issues, especially when the content includes sensitive financial decisions and rationale.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal