ClawHub

Invoice Extractor

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local invoice and expense-ledger tool, with financial file-writing and deletion features that users should operate deliberately.

Install this only if you want a local expense ledger, not just read-only invoice extraction. Review extracted entries before adding them, explicitly confirm edit/delete/undo/export actions, avoid exporting financial data to shared or public paths, and review any newly discovered export preset before letting the agent save it to expense-config.json.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill claims a narrow invoice-extraction purpose but also exposes broader filesystem and ledger-management operations such as batch folder scanning, edit/delete/undo, summary, export, and config mutation workflows. This mismatch is dangerous because users or orchestrators may invoke the skill under overly broad assumptions, enabling unintended file discovery or destructive data operations beyond simple extraction.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documented discovery flow tells the agent to use web_search to infer third-party CSV import formats and then write new presets into the user’s config file automatically. This creates a risky trust chain from unverified web content to persistent local configuration changes, which could produce incorrect exports, poison configuration, or expand the skill’s behavior beyond what the user explicitly authorized.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill description is for invoice extraction, but the script also implements persistent mutable ledger management including add, edit, delete, undo, and export operations. This expands the skill from document parsing into stateful data mutation, increasing the chance of unintended or unauthorized modification of financial records if invoked by an agent or user without strong safeguards.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The ledger path is taken from configuration and may be absolute or relative, and export also accepts arbitrary output paths, allowing the tool to write outside the intended skill data directory. In an agent setting, this can be abused to overwrite or create files in unrelated filesystem locations, turning an invoice utility into a general file-write primitive.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation text is broad enough to match many common finance, receipt, tax, and expense-related conversations, increasing the chance the skill is selected in contexts where users did not intend filesystem access or ledger operations. Over-broad routing is dangerous because it can trigger data-processing workflows on sensitive financial documents with less precise user intent than necessary.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The example triggers are generic and include phrases like tracking expenses or preparing tax documents, which can overlap with broad personal-finance requests unrelated to invoice extraction. In a skill with file and ledger write capabilities, vague triggers raise the risk of accidental invocation and unnecessary handling of sensitive financial data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions explicitly direct the agent to add new export presets to the user’s config file without requiring a separate confirmation step. Silent persistent modification of configuration is dangerous because it changes future behavior, may corrupt user settings, and extends the skill from document processing into autonomous system reconfiguration.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
ledger_delete() permanently removes an entry and rewrites the full ledger immediately, with no confirmation prompt, no dry-run, and only backup-based recovery. In a tool-driven or agent-driven workflow, a mistaken invocation can silently alter financial records and undermine data integrity.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
ledger_undo() removes the highest-ID entry without confirmation and rewrites the ledger, which can unexpectedly delete records if called accidentally or by an over-permissive agent. Because IDs are mutable and deletions renumber entries elsewhere, this behavior can also be confusing and increase the risk of integrity loss.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal