ClawHub
Back to skill

Security audit

10JQKA

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Tonghuashun trading automation skill, but it controls a live trading desktop with SendKeys and reaches order-entry workflows without strong script-level guardrails.

Install only if you intentionally want desktop automation for Tonghuashun. Test it outside a live account first, keep the trading window visible, review any plan/watchlist path before running, and manually verify every order-entry screen before submitting anything.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly promotes automated interaction with a live stock trading client and local journal writing, but does not warn users that commands may trigger account-affecting actions or modify local files. In a trading context, undisclosed GUI automation is especially risky because hotkey-driven execution can place orders, alter watchlists, or persist sensitive trading records with financial consequences if run incorrectly or in the wrong window state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script performs direct GUI automation against a live stock-trading client using PowerShell COM SendKeys, including navigation to entrust/order-entry screens and stock-specific actions, but it has no explicit user confirmation, dry-run mode, or strong guardrails before sensitive trading workflows. In a trading context, simulated keystrokes can misfire into the wrong window or wrong market state, causing unintended order preparation or trading-related actions and creating financial and operational risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal