Dynamic code execution
Critical
- Finding
- Dynamic code execution detected.
alphaear-signal-tracker
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a finance signal-tracking helper with purpose-aligned market-data tools and local context use, but users should review its provenance, dependencies, and persisted analysis state before relying on it.
This skill is reasonable for tracking financial signals, but treat its outputs as research assistance rather than investment advice. Before installing or running helper code, verify the publisher, review the Python files and dependencies, and understand where any signal database or RAG context will be stored and reused.
Static analysis
Dynamic code execution
Critical
- Finding
- Dynamic code execution detected.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI02: Tool Misuse and Exploitation
Low
What this means
The agent may query external data tools and base investment-signal updates on their results.
Why it was flagged
The workflow delegates research to other search and stock-data skills. This is central to the stated finance-tracking purpose, but users should expect external tool calls and untrusted market/news inputs.
Skill content
Use `alphaear-search` and `alphaear-stock` skills to gather the necessary data.
Recommendation
Verify important facts and market data before acting on the analysis, especially for investment decisions.
#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means
It may be harder to verify who maintains the code or how its dependencies should be installed safely.
Why it was flagged
The skill has sparse provenance/setup metadata while shipping Python code and referencing dependencies. The artifacts do not show hidden installation or auto-run behavior, but the origin and dependency setup are not well documented.
Skill content
Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill; Code file presence 34 code file(s)
Recommendation
Install only if you trust the publisher; inspect the included scripts and pin/verify any dependencies before running helper code.
#
ASI06: Memory and Context Poisoning
Low
What this means
Prior generated content may influence later financial reports or signal updates.
Why it was flagged
The artifacts show RAG retrieval of previously generated report content. This is purpose-aligned for report continuity, but persisted context can carry stale or incorrect information into later analysis.
Skill content
你拥有 RAG 搜索工具,可以检索已生成的章节内容以确保逻辑连贯性。
Recommendation
Review or clear stored context when analyses become stale, and do not treat retrieved prior content as automatically correct.