ClawHub

A Share Short Decision.Bak

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent A-share market-analysis tool that reads public market data and writes local research logs, with no evidence of credential theft, trade execution, exfiltration, or destructive behavior.

Install only if you are comfortable with AkShare and pandas being installed from your Python package source, and keep the `data/` directory private because it can record analyzed dates, signals, and candidate stocks. Enable the scheduler only if you want recurring weekday scans, and treat all outputs as research support rather than investment advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises executable workflows that read environment state and perform filesystem reads/writes, but it does not declare those capabilities or warn the user. This creates a transparency and consent problem: an operator may invoke the skill expecting analysis-only behavior while it can persist artifacts locally and potentially access sensitive runtime context.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The documentation states that prediction snapshots are appended into a local log file, but it does not warn the user that invoking the skill creates persistent artifacts. Silent retention can expose trading decisions, dates, and derived market activity to later users or processes, especially in shared or managed environments.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The subskill commands are described as generating artifacts under data/ without an explicit warning about filesystem writes. While the writes appear operational rather than malicious, undisclosed artifact creation can surprise users, overwrite previous outputs, or leave sensitive trading-analysis data behind on disk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal