ClawHub

Stock Analysis Pro

Security checks across malware telemetry and agentic risk

Overview

This instruction-only stock-analysis skill is coherent, but users should treat its buy/sell suggestions carefully and avoid sharing unnecessary portfolio details.

Install only if you are comfortable with a finance assistant using external market-data sources and producing investment-style suggestions. Do not share broker logins, account numbers, or more holdings detail than needed, protect any optional tushare token, and treat all recommendations as informational rather than financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad and include common financial-chat language such as asking how the market is doing or what to buy, which can cause the skill to activate in situations where the user did not explicitly intend to invoke it. In this skill's context, unintended activation is more dangerous because it may lead to external market-data lookups and generation of investment-style recommendations without clear consent or framing.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill description says it directly calls akshare and references external market data sources, but it does not clearly warn users that their queries and possibly portfolio-related inputs may be transmitted to external providers. In a finance skill, this matters more because holdings, watchlists, and trading interests can reveal sensitive personal financial information and user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal