ClawHub

T Trading

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed trading-analysis prompt skill, with no artifact-backed evidence of hidden execution, data access, persistence, or destructive behavior.

Install only if you want Chinese-language, technical trading-analysis guidance using this methodology. Be aware it may activate on broad market-analysis phrasing, and do not treat its outputs as personalized financial advice or automatic trade instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill advertises very broad natural-language triggers such as generic requests to 'analyze' a ticker, ask for support levels, or discuss moving averages. In a prompt-based skill system, these phrases can cause unintended activation during ordinary conversation, leading the assistant to enter a trading-analysis mode and produce actionable financial guidance when the user may not have explicitly requested the skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation logic includes broad trading-intent phrases such as asking whether an asset is suitable to enter or how to operate, which are common in ordinary finance conversations. This can cause the skill to activate in contexts where the user did not request this specific methodology, leading to unsolicited or overly prescriptive trading guidance and incorrect routing to a specialized prompt.

Vague Triggers

Low
Confidence
80% confidence
Finding
The example trigger for a generic moving-average request is broad enough to overlap with many standard technical-analysis queries unrelated to this specific skill. That increases the chance of accidental activation and misapplication of the skill's rigid output format or methodology to user requests that only wanted a simple MA explanation.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger conditions are very broad and match generic requests about short-term trading, trend analysis, support/resistance, and common asset symbols. This can cause the skill to activate outside its intended scope, unexpectedly overriding other safer or more appropriate skills and steering the assistant into detailed trading guidance without clear user intent.

Natural-Language Policy Violations

Medium
Confidence
72% confidence
Finding
The skill is authored entirely in Chinese and frames output in Chinese without offering a language-selection path. While not a classic security flaw, this can reduce transparency, impair user comprehension, and make it harder for reviewers or downstream safety systems to verify what advice is being given, especially in a high-risk financial context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal