ClawHub

A股智能投资助手

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed stock-analysis helper with optional scheduled messaging, but users should be careful about sending portfolio or watchlist reports to chat channels.

Install only if you are comfortable with the declared finance dependencies and market-data access. If you enable Feishu, WeChat, or scheduled cron delivery, use a private channel and avoid including sensitive holdings or account details in reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill advertises automated Feishu/WeChat push notifications for holdings reports and alerts, which can transmit sensitive portfolio, watchlist, and trading-signal data to external messaging platforms without clearly warning users about that data sharing. In an investment context, this can expose confidential financial interests or account-related behavior to third parties or unintended recipients.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The scheduled job configuration automatically sends portfolio reports and alert content to the external Feishu channel, but the documentation does not clearly warn that this happens unattended on a recurring basis. Automatic outbound transmission increases the risk of accidental disclosure of holdings, watchlists, or trading activity, especially in shared workspaces or misconfigured channels.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal