ClawHub
Back to skill

Security audit

Cue Wealth Advisory

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a finance research assistant with broad advisory-style triggers, but there is no artifact-backed evidence of hidden execution, account mutation, credential theft, persistence, or exfiltration.

Install only if you want finance research and allocation-oriented analysis. Treat outputs as educational research, not professional investment advice; avoid sharing sensitive account data unless you intend to; and confirm any trading, allocation, or fund-comparison workflow before acting on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list is broad and mixes multiple finance-related intents such as wealth advisory, fund comparison, and portfolio allocation without clear activation boundaries. In an agent setting, this can cause the skill to activate on loosely related financial queries and perform external research or recommendation-like workflows in contexts the user did not clearly request, increasing the risk of inappropriate financial guidance or unintended tool use.

Vague Triggers

Low
Confidence
80% confidence
Finding
The usage section describes the scope only as broad finance domains like funds, trading, and financial performance, without clearly stating boundaries such as research-only behavior, exclusions, or when human confirmation is required. That ambiguity makes it easier for the agent to over-apply the skill to regulated or sensitive advisory scenarios, especially given the skill’s capability to run external research and produce allocation-oriented outputs.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal