ClawHub

Quantitative Research

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only quantitative finance research skill with broad activation wording but no code, credentials, persistence, or trading-account control.

Install only if you want quantitative trading research and backtesting guidance. Treat its outputs as educational or analytical support, not financial advice or permission to trade; verify assumptions, data quality, costs, and risk independently before acting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation description is overly broad and includes many generic finance and research terms, which can cause the skill to trigger in contexts outside its intended scope. This increases the chance that high-authority instructions in the skill are injected into unrelated conversations, potentially overriding more appropriate tooling or causing unsafe reliance on domain-specific guidance without clear user intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The detection pattern `backtest|simulate|historical` is very broad and can activate on many benign finance or analytics requests that are not asking for this specific skill. Over-triggering is dangerous because it can route users into specialized trading guidance unexpectedly, increasing the chance of irrelevant or risky advice being applied in the wrong context.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The alpha research detection keywords `alpha|signal|predict|edge` are underspecified and overlap heavily with ordinary language, ML, and non-financial analysis. In a skill-routing system, this can cause frequent false activation and unintended access to high-risk trading-research behavior for prompts that merely mention prediction or signals.

Vague Triggers

Low
Confidence
88% confidence
Finding
The statistical arbitrage trigger includes `mean.*reversion`, which is broader than necessary and may catch general discussion of mean reversion outside stat-arb or even outside trading. While the rest of the pattern is more specific, this phrase can still misroute some user requests into advanced trading workflows.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The factor model detection terms `factor|exposure|beta|Fama.*French|Barra` include highly generic words like `factor`, `exposure`, and `beta`, which appear in many unrelated technical and business contexts. Because this skill gives sophisticated trading-research guidance, broad activation increases the risk of irrelevant financial advice or unintended capability routing.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The regime detection triggers include broad phrases like `regime` and `market.*state`, which can match macro commentary, political discussion, or generic state classification problems. In this skill context, ambiguous activation is more concerning because the routed guidance is specialized and may encourage trading decisions based on an incorrectly inferred user intent.

Vague Triggers

Medium
Confidence
97% confidence
Finding
Several anti-pattern detections use generic terms such as `download`, `future`, `position`, `recent`, and `optimize`, which are common in ordinary requests and not uniquely indicative of the specific anti-patterns. This is dangerous because defensive or advisory logic built on these matches may misclassify benign prompts, causing unreliable routing, noisy warnings, or policy bypass opportunities through trigger collisions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal