ClawHub

Boheng Investment Workflow

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real investment-analysis skill, but its external network use and optional command/browser automation are not disclosed consistently enough for automatic approval.

Install only if you are comfortable with this skill making third-party financial/news requests and saving local reports. Keep sensitive information out of USER.md, leave browser news disabled unless needed, narrow or confirm broad triggers, and treat generated investment analysis as informational rather than financial advice. Static scan was clean and VirusTotal was pending; the Review verdict is based on artifact-backed disclosure and scoping mismatches, not malware evidence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation makes conflicting security claims: it says the skill does not use system commands, yet elsewhere states it invokes an external CLI (`agent-browser`) and force-terminates Chrome processes. Misstating command execution behavior is dangerous because reviewers and users may underestimate the ability to launch subprocess-like functionality or affect local processes, which can conceal operational risk.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The module and class documentation explicitly claim only whitelisted-domain access, but the code also reaches AKShare, baostock, and Eastmoney-related endpoints. In an agent skill, misleading trust and network-boundary claims are security-relevant because operators may approve execution under false assumptions about egress restrictions and data provenance.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The comment says industry change is fetched from Tencent Finance, but the implementation actually calls Eastmoney. While not an exploit by itself, this kind of source misrepresentation undermines reviewability and can conceal undeclared egress to third parties, which is risky in security-sensitive agent environments.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises real financial data support, but several fallback paths fabricate financial, valuation, and industry metrics from defaults or heuristics and return them in the same shape as real data. In an autonomous decision workflow, undisclosed synthetic values can mislead downstream agents or users, causing unsafe financial decisions and trust-boundary violations around data integrity.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
When all real data sources fail, the module fabricates generic 'news' items and returns them in the same structure as genuine fetched news. In an investment-analysis workflow, this can mislead downstream agents or users into treating synthetic placeholders as factual market information, creating integrity and decision-risk even though it is not a code-execution flaw.

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
The docstring claims the fallback is based on public information, but the implementation only emits hard-coded templates containing the stock name. This is a provenance and transparency failure that can cause downstream components to overtrust invented content, especially in an autonomous analysis pipeline.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger keywords are extremely broad (e.g., '分析', '投资', '股票怎么样'), making accidental activation likely during ordinary conversation. In this skill's context, accidental triggering matters because activation can lead to network access, reading local user preference files, and writing reports, causing unintended data processing and external requests.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code performs outbound requests to a non-whitelisted provider without clear user-facing disclosure, despite earlier claims about restricted domains. In agent deployments, undeclared external communications expand the data-exposure surface and can bypass operator expectations or network policy assumptions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal