ClawHub

financial-report-analysis

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed financial-report analysis helper with local sample-data calculations, but users should not treat its simple ratings as real investment advice.

Install only if you want a local financial-report analysis helper. Treat the scoring, ratings, and recommendation text as heuristic commentary, not professional financial advice or a basis for trades. Verify any payment channel and publisher identity independently before paying, and review future versions carefully if they add real-time data APIs, caching, or credential-based integrations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill’s stated purpose is financial-statement analysis, but the code assigns scores, ratings, and explicit investment recommendations such as whether the company is worth investing in. In a financial domain, this crosses from descriptive analytics into actionable advisory output, which can mislead users into making financial decisions based on a simplistic model and create compliance, safety, and trust risks.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The module-level description presents the skill as a financial-report analysis tool, but the implementation produces investment advice as part of the core report flow. This mismatch increases the risk that users or integrators will trust the skill as neutral analysis when it is actually making suitability-style judgments.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal