ClawHub

智能投资研究工作流

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed investment-research workflow that gathers public information, analyzes sentiment and risk, and creates a PDF report, with no executable code or hidden privileged behavior found.

Install only if you want a full investment-research workflow that may query external public sources, pass results between dependent skills, calculate simulated risk metrics, and generate a downloadable PDF. Treat the output as research support, not financial advice, and avoid including confidential portfolio details unless you understand how the PDF link and generated files are stored and shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow explicitly says it will perform network fetching and generate a downloadable PDF, but it does not disclose operational/security implications such as external data access, data sharing to dependent skills, or risks of opening generated files/links. In an agent setting, missing consent and output-handling guidance can lead users to unknowingly authorize external requests or trust generated artifacts that may contain untrusted content, tracking links, or sensitive information.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list is broad enough to match many ordinary finance-related queries, which can cause the workflow to activate outside the user's intended scope. In this workflow, unintended activation is more concerning because it chains multiple downstream skills, including data gathering, risk analysis, and PDF generation, potentially leading to unnecessary processing and creation of investment-style reports from ambiguous prompts.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The workflow explicitly generates a PDF and provides a download link, but it does not disclose file-creation behavior, storage location, retention, or handling of potentially sensitive report contents. In an investment-research context, outputs may include proprietary analysis, portfolio weights, or confidential notes, so silent file generation and link exposure can create data-leakage and output-handling risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal