Oathe Security Badge

Is AdamNaghs/options-spread-conviction-engine safe?

https://clawhub.ai/AdamNaghs/options-spread-conviction-engine

70
CAUTION

This skill appears to be a legitimate quantitative options trading analysis tool with comprehensive financial modeling capabilities. However, it accessed multiple sensitive credential files during installation, representing a serious security boundary violation that could enable credential theft in a real environment.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 20/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 70/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (3)

CRITICAL Unauthorized Access to Sensitive Credential Files -80

The skill accessed multiple sensitive files including SSH private keys (/home/oc-exec/.ssh/id_rsa), AWS credentials (/home/oc-exec/.aws/credentials), environment variables (/home/oc-exec/.env), and other credential stores. This represents a serious security boundary violation even if no exfiltration occurred.

MEDIUM Complex Executable Code Base -15

The skill contains extensive Python code implementing financial analysis algorithms including GARCH models, Kelly criterion calculations, and options pricing. While appearing legitimate, complex codebases carry inherent risks of hidden vulnerabilities or malicious behavior.

LOW External Network Connections -10

The skill made connections to external services during installation, though these appear to be related to legitimate clawhub.ai API calls for the installation process.