ClawHub

金融分析技能

Security checks across malware telemetry and agentic risk

Overview

This skill is a local portfolio backtesting tool that reads CSV data and writes reports/charts, with no evidence of hidden network access, credential theft, account trading, or destructive behavior.

Install dependencies in a virtual environment, run it only with CSV and output paths you trust, and review generated reports before sharing them because they may include local paths and derived portfolio data. Treat backtest results and recommendations as informational research, not personalized financial advice or proof of future returns.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill uses third-party market-data providers and mentions API-key configuration, but does not warn users that portfolio symbols, query parameters, IP address, and usage metadata may be transmitted to external services. In a financial-analysis context, this can expose sensitive trading interests or account-linked usage patterns, even if it does not directly leak credentials.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document gives explicit investment recommendations, discusses portfolio advantages/disadvantages, and cites backtested performance metrics without a clear disclaimer that the material is informational only and not financial advice. In a skill intended to guide financial analysis, users may rely on these statements for real trading decisions, increasing the risk of financial harm from overreliance on historical or incomplete results.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal