Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
dateparser>=1.2.0 pydantic>=2.0.0 matplotlib>=3.8.0 flask>=3.0.0
- Confidence
- 97% confidence
- Finding
- dateparser>=1.2.0
bill claw
Security checks across malware telemetry and agentic risk
Overview
BillClaw is a disclosed local bookkeeping skill with expected private-finance access, but no hidden exfiltration, deception, or unsafe automatic execution was found.
Install only if you are comfortable letting the agent manage a local personal-finance ledger. Keep backups of the SQLite database, review delete and merge previews carefully, keep the web dashboard bound to 127.0.0.1, stop it when finished, treat CSV/PNG outputs as private, and prefer pinned dependencies or a lockfile for reproducible installs.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
dateparser>=1.2.0 pydantic>=2.0.0 matplotlib>=3.8.0 flask>=3.0.0
- Confidence
- 98% confidence
- Finding
- pydantic>=2.0.0
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
dateparser>=1.2.0 pydantic>=2.0.0 matplotlib>=3.8.0 flask>=3.0.0
- Confidence
- 96% confidence
- Finding
- matplotlib>=3.8.0
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
dateparser>=1.2.0 pydantic>=2.0.0 matplotlib>=3.8.0 flask>=3.0.0
- Confidence
- 98% confidence
- Finding
- flask>=3.0.0
Known Vulnerable Dependency: pydantic — 3 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.)
High
- Category
- Supply Chain
- Confidence
- 86% confidence
- Finding
- pydantic
Known Vulnerable Dependency: flask — 8 advisory(ies): CVE-2025-47278 (Flask uses fallback key instead of current signing key); CVE-2018-1000656 (Flask is vulnerable to Denial of Service via incorrect encoding of JSON data); CVE-2019-1010083 (Pallets Project Flask is vulnerable to Denial of Service via Unexpected memory u) +5 more
High
- Category
- Supply Chain
- Confidence
- 89% confidence
- Finding
- flask
VirusTotal
66/66 vendors flagged this skill as clean.