ClawHub

Buffett Analysis

Security checks across malware telemetry and agentic risk

Overview

This investment-analysis skill mostly matches its stated purpose, but it can run unsafe shell commands from user input and publish changes to GitHub without a clear approval step.

Install only if you intentionally want this skill to update and publish alpha-factor-lab reports. Treat company names or tickers as trusted input until the shell=True command construction is fixed, and require manual diff review plus explicit approval before any commit or push.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
args = " ".join(f"{k}={v}" for k, v in kwargs.items())
    cmd = f"mcporter call {tool} {args}"
    try:
        r = subprocess.run(cmd, shell=True, capture_output=True, text=True, env=ENV, timeout=60)
        if r.stdout.strip():
            return json.loads(r.stdout)
    except (json.JSONDecodeError, subprocess.TimeoutExpired) as e:
Confidence
98% confidence
Finding
r = subprocess.run(cmd, shell=True, capture_output=True, text=True, env=ENV, timeout=60)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = f"mcporter call {tool} {args}"
    try:
        with open(out_path, "w") as f:
            subprocess.run(cmd, shell=True, stdout=f, stderr=subprocess.DEVNULL, env=ENV, timeout=60)
        if os.path.getsize(out_path) > 2:
            with open(out_path) as f:
                return json.load(f)
Confidence
98% confidence
Finding
subprocess.run(cmd, shell=True, stdout=f, stderr=subprocess.DEVNULL, env=ENV, timeout=60)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill's stated purpose is investment analysis, but it also instructs the agent to modify a frontend repository, update persistent JSON data, and publish results. This is a classic scope jump from analysis to state-changing software supply chain activity, enabling unauthorized content changes and remote publication under the guise of a benign research request.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The industry-analysis branch repeats the same unsafe pattern by coupling research output to mandatory repository writes and publication. Because this behavior is absent from the manifest description, users may trigger remote content changes without understanding that an informational query can modify and publish project assets.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Automatic git commit and push are not necessary to answer an investment-analysis request, yet they create immediate exfiltration and integrity risks. An attacker could abuse ordinary prompts to cause unauthorized repository updates, publish manipulated analysis, or overwrite existing content in a trusted GitHub-backed site.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The industry workflow's mandatory publication step extends analysis into remote repository operations unrelated to core task completion. This expands the blast radius from a chat response to externally visible site changes, making accidental or malicious misuse much more damaging.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill mandates writing to repository files and pushing commits without clearly informing the user that persistent project data and remote content will be modified. Lack of disclosure defeats informed consent and makes prompt-level social engineering far easier, since a seemingly harmless analysis request can trigger durable changes.

Missing User Warnings

High
Confidence
97% confidence
Finding
The industry workflow repeats undisclosed repository modification and remote publication steps. In context, this is more dangerous because industry-analysis requests are broad and common, increasing the chance that users unintentionally trigger external updates to a public-facing site.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The finding correctly identifies that shell execution is performed with unescaped user-controlled arguments. In this skill context, the primary entrypoint accepts a company name or code from the user, so malicious input like shell metacharacters could turn a data-fetch request into arbitrary command execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal