ClawHub

Investment Cognition Detector

Security checks across malware telemetry and agentic risk

Overview

This skill is a text-only investment self-assessment workflow that uses disclosed public web research and interactive questions, without install-time code, credentials, persistence, or account actions.

Use this as an educational self-check, not as financial advice. Avoid entering brokerage credentials, account numbers, confidential portfolio details, or private documents. Expect the agent to search the web for the company you name, and review any conclusions independently before making investment decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list ends with a broad catch-all phrase covering essentially any request to test investment understanding, which can cause the skill to activate in contexts the user did not explicitly intend. Over-broad activation can lead to unexpected web lookups, incorrect workflow hijacking, and reduced user control, especially in financial contexts where users may be discussing sensitive holdings or asking for a different type of help.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The skill is written to operate only in Chinese and does not provide a language negotiation or consent mechanism, which can cause users to receive analysis in a language they did not request or fully understand. In a financial evaluation workflow, this increases the risk of misunderstanding questions, answers, and conclusions, potentially degrading decision quality even if it does not directly create a traditional security compromise.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal