ClawHub

FP&A Engine

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only financial planning skill that may handle sensitive company finance data, but the artifacts do not show hidden execution, persistence, or data transfer.

Use this skill only with financial data you are comfortable sharing with your agent environment. Redact bank account numbers, employee-identifying payroll details, customer personal data, and unnecessary account-level records; verify generated financial outputs before using them for board, investor, tax, or operational decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill exposes generic trigger phrases like "Build a financial model," "Budget review," and "Pricing analysis" that are common in ordinary conversation. In agent environments that auto-route on natural-language commands, broad phrases can cause unintended invocation and unexpected processing of sensitive financial context or files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly solicits highly sensitive business information including cash on hand, payroll data, bank statements, fundraising details, and customer/revenue records, but provides no confidentiality notice, minimization guidance, or handling restrictions. If deployed in a shared or weakly governed agent environment, users may disclose regulated or commercially critical financial data without understanding retention, access, or downstream exposure risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal