ClawHub

Wealth Builder

Security checks across malware telemetry and agentic risk

Overview

This is a financial-planning skill with no malware evidence, but it asks for sensitive financial details and gives advice-like guidance without enough upfront privacy and professional-advice boundaries.

Install only if you are comfortable using it as an educational planning aid. Do not provide account numbers, credentials, SSNs, tax IDs, exact institution details, or unnecessarily precise balances; use ranges where possible. Verify investment, tax, legal, retirement, and debt recommendations with qualified professionals before acting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README presents the skill as a comprehensive personal finance and investment advisor covering investing, taxes, retirement, debt, and real estate, but it provides no warning that outputs may be incomplete, inaccurate, or unsuitable for a user's circumstances. In a financial-advice context, users may rely on the agent for regulated or high-stakes decisions, increasing the risk of harmful recommendations, unsuitable investment actions, tax mistakes, or delayed consultation with qualified professionals.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase at this location is broad enough to match common user requests, which can cause the skill to activate unintentionally outside a clearly scoped finance workflow. In a skill that elicits detailed financial information, accidental activation increases the chance of oversharing sensitive data and receiving domain-specific guidance when the user did not explicitly intend to invoke this skill.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The phrase "Help me build wealth" is highly generic and could overlap with ordinary conversation about goals, budgeting, career growth, or business planning. Because this skill covers sensitive financial assessment and investment guidance, ambiguous triggering can route benign conversation into a data-collection and advice-like flow without sufficiently explicit user intent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly asks for highly sensitive personal financial data, including account balances, liabilities, assets, and liquid net worth, but does not provide clear privacy warnings, minimization guidance, or handling limitations near the collection point. This is dangerous because users may disclose comprehensive financial profiles that could enable fraud, identity-targeting, or serious privacy harm if stored, logged, or shared inappropriately.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal