ClawHub

Earnings Calendar

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal earnings-calendar helper, but users should protect their FMP API key and understand that “US stocks” may include US-listed foreign issuers.

Install only if you are comfortable running the bundled Python scripts and using an FMP API key. Prefer setting FMP_API_KEY in your environment instead of pasting the key into chat or passing it as a command-line argument, avoid sharing transcripts that contain the key, and treat the report’s “US stocks” scope as US-listed unless the publisher tightens the filtering.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to solicit and retain a user-supplied API key in session/conversation context. Even if described as temporary, placing credentials into chat/session state increases the chance of inadvertent disclosure through logs, prompt leakage, transcript sharing, or downstream tool access.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill description and report notes claim coverage of US stocks/US companies, but the output clearly includes many foreign issuers and ADRs such as Toyota, Novo Nordisk, AstraZeneca, Petrobras, and others. This mismatch can mislead downstream users or agents into making decisions based on an incorrect assumption about market scope and filtering, reducing trust in the tool and potentially causing incomplete or skewed analysis.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The report output exceeds the declared scope by including numerous non-US companies throughout the calendar, creating a systemic scope-integrity failure rather than a one-off wording issue. In an agent skill, this can propagate incorrect assumptions into summaries, screening workflows, or automated financial research, especially where users expect US-only coverage.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Allowing and documenting API key entry on the command line can expose the secret through shell history, process listings, job-control logs, and monitoring tools on multi-user systems. In this skill’s context, the key is legitimate for the feature, but encouraging insecure secret entry makes credential leakage more likely during normal use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal