ClawHub

A股十书全景分析法

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed stock-analysis instruction skill with external market-data lookups, not code that installs, persists, steals data, or changes accounts.

Before installing, understand that using this skill may send stock names, stock codes, cutoff dates, and related search terms to third-party finance sites or search providers. Treat buy, hold, avoid, price-range, and position-size outputs as informational analysis only, and verify data independently before making financial decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger scope is broad enough to activate on many ordinary stock-related messages, which can cause unintended execution of a high-impact skill that fetches external market data and produces concrete trading recommendations. In this context, accidental invocation is more dangerous because the skill is opinionated, auto-classifies securities, and outputs price/position guidance, increasing the chance of unsolicited financial advice or unnecessary external requests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill performs external fetching from multiple third-party financial endpoints but does not clearly warn users beforehand, creating transparency and privacy issues around outbound requests and data provenance. In a finance-analysis skill, this is more sensitive because users may assume the analysis is self-contained while the system is actually contacting external sites and incorporating potentially unreliable or time-sensitive data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal