ClawHub

Financial Due Diligence Analyzer

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only financial due diligence skill that asks for sensitive business inputs but shows no hidden code, data sharing, persistence, or privileged actions.

Install only if you want an agent to help analyze deal or company financials. Share only documents you are authorized to provide, redact unnecessary personal, banking, customer, and confidential identifiers, and independently verify any valuation or go/no-go recommendation before using it in a transaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase "Run financial due diligence on [company]" is generic and likely to overlap with ordinary user requests for financial analysis. In agent ecosystems that auto-activate skills based on natural-language matching, this can cause unintended invocation, exposing financial workflows, external links, or skill-specific behavior when the user did not explicitly intend to use this skill.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation phrase "Run financial due diligence on [company/deal]" is very broad and can trigger on loosely scoped requests without requiring confirmation, data boundaries, or explicit user intent about what sources may be used. In a finance workflow, this increases the chance the agent will process sensitive deal information or take unintended analysis actions on ambiguous prompts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This skill explicitly invites users to provide financial statements, customer revenue breakdowns, and deal terms, but it does not warn that these materials may contain highly sensitive confidential, material nonpublic, or regulated business information. Without handling guidance, users may overshare secrets and the agent may process, retain, or transmit acquisition data in unsafe ways.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal