ClawHub

Temp Skill

Security checks across malware telemetry and agentic risk

Overview

This is a local portfolio backtesting skill that reads a user-selected CSV and writes reports and charts, with privacy and overwrite caveats but no evidence of hidden access, exfiltration, or destructive intent.

Install this in a virtual environment, run it only on CSV files you intend to analyze, and point --output to a dedicated folder because existing files with the same report or chart names may be replaced. Review generated reports and JSON before sharing, since they may include local file paths, timestamps, asset data, and financial analysis results. Treat the backtest output as informational analysis, not financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill explicitly integrates external market data providers but does not warn users that requests may disclose queried symbols, usage patterns, and potentially portfolio-related data to third parties. In a financial-analysis context, that omission can mislead users about privacy and data-sharing expectations, especially when API-backed lookups are triggered from user-supplied portfolio inputs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill writes multiple PNG, TXT, and JSON files to a caller-controlled output path and uses fixed filenames, but it does not create the directory safely, check for existing files, or warn that prior contents may be overwritten. In an agent or shared workspace context, this can lead to unintended data loss, clobbering of existing artifacts, or writes into sensitive/unexpected locations if the output path is misconfigured.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly documents generation of reports, JSON, and charts, and the included example report shows an absolute local Windows path and detailed dataset metadata. If users share these artifacts for collaboration or debugging, they may unintentionally disclose local usernames, directory structures, data sources, and potentially sensitive financial data without any warning from the documentation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal