ClawHub

alphaear-predictor

Security checks across malware telemetry and agentic risk

Overview

This finance forecasting skill is not clearly malicious, but it uses outside search, stock-data, model, and LLM services and keeps a local finance/news database more broadly than the short description explains.

Install only if you are comfortable with a finance skill that may query third-party search and stock-data services, use configured LLM providers, download model artifacts, and keep local market/news caches. Avoid confidential strategy terms or proprietary watchlists unless you have reviewed the provider settings, and only use trusted model checkpoints.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill advertises no explicit permissions while its documented behavior and associated utilities imply access to environment variables, local files, and network resources. This creates a transparency and governance gap: callers and policy engines may authorize the skill under false assumptions, enabling unintended data access or outbound communication during execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose is narrow market forecasting, but the referenced codebase appears to include much broader functions such as database persistence, web/news search, stock synchronization, prompt-generation workflows, and model routing/testing. This mismatch is dangerous because reviewers or users may trust the skill for a limited use case while it exposes a much larger attack surface and can access/store more data than expected.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The `execute_query` method exposes raw SQL execution for any caller, including non-SELECT statements, with no allowlist, access control, or validation. In a skill that processes external/news/user-derived inputs, this creates a direct path to unauthorized data modification, deletion, schema tampering, and broader abuse if untrusted input can reach this helper.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The code sends current queries and cached/local-news candidate metadata to an LLM to decide cache reuse, which introduces an unnecessary external decision-making path for internal data selection. If queries or cached content contain sensitive user or proprietary market-research data, this can cause data exposure to the model provider and can also let untrusted cached text influence control flow through brittle JSON parsing of model output.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code falls back to downloading model artifacts from remote registries when local files are unavailable, without any explicit user approval, integrity pinning, or trust verification. In a finance-focused skill, this increases supply-chain risk because execution behavior and forecast outputs can silently change based on remote content, and compromised or unexpected model artifacts may introduce malicious code paths or unsafe model behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The training flow sends generated stock/news queries to an external search engine without any explicit disclosure, consent control, or outbound-network guardrail. Even if the query data is not highly sensitive, this creates an unannounced third-party data transmission path and can leak proprietary watchlists, research focus, or operational behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code aggregates search-result content and transmits it to an external LLM for causality verification without explicit notice or data-handling controls. This can expose third-party content, internal research context, and possibly licensed or sensitive text to an external provider, creating confidentiality, compliance, and supply-chain risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal