ClawHub

yumstock

Security checks across malware telemetry and agentic risk

Overview

This skill is a stock-analysis workflow using public financial data, with no evidence of hidden access, code execution, persistence, or account-changing behavior.

Install only if you want an agent to produce structured stock research from public sources. Verify important figures against primary sources, treat BUY/HOLD/SELL outputs as educational analysis rather than investment advice, and ask for English-only labels if the mixed-language terminology would be confusing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill operationalizes investment research into explicit BUY/HOLD/SELL outputs before presenting a prominent upfront warning, which can cause users to treat the workflow as actionable financial advice rather than educational analysis. Because the instructions are highly prescriptive and include verdict gating and scoring, the absence of an early disclaimer increases the chance of over-reliance and regulatory/compliance risk.

Natural-Language Policy Violations

Low
Confidence
81% confidence
Finding
The skill introduces non-English terminology in core analysis logic without asking for the user's language preference or clarifying that mixed-language labels are optional. This can confuse users, reduce comprehension of important scoring criteria, and increase the risk that a user misunderstands the basis for an investment-style recommendation.

Natural-Language Policy Violations

Low
Confidence
83% confidence
Finding
Additional Chinese-only category labels appear in technical-analysis instructions tied to entry-signal classification, again without user opt-in. In a skill producing trading-style conclusions, unclear labeling can distort interpretation of technical triggers and degrade safe, informed use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal