ClawHub

Private Fund Portfolio Analysis

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate private-fund portfolio analysis helper, but it includes real-looking database connection defaults that could cause unintended external access.

Review before installing or using. Replace the MySQL host, user, password, and database defaults with nonfunctional placeholders or your own securely supplied environment variables, and rotate the exposed credential if it may be real. Run generated analysis only in a private workspace, disable external enrichment if holdings must stay local, and remove generated CSV/JSON/PNG/cache files when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The documentation explicitly warns not to hardcode real passwords or addresses, yet the sample MySQL connection embeds a real-looking IP address, username, and password as defaults. In a skill that may be copied verbatim into scripts, this creates a high risk of credential leakage, unintended outbound connections to a third-party database, and reuse of potentially live secrets.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill instructs use of external data sources such as MySQL and AKShare and describes generating output files, but it does not clearly warn the user that running the workflow may transmit data externally and write potentially sensitive portfolio analysis artifacts to disk. In the context of private fund holdings, silent network access and file output increase confidentiality and privacy risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal