ClawHub

yindeng_ analyse

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Yindeng crawler with optional LLM analysis, but users should understand that enabling analysis sends extracted PDF text to the configured LLM provider.

Install in an isolated Python environment and leave analysis disabled unless you are allowed to send the downloaded announcement PDF text to your chosen LLM provider. Review LLM_PROVIDER, LLM_API_BASE, and the provider's privacy and retention terms before processing documents that may contain borrower, financial, or legal details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation instructs users to configure third-party LLM providers for analysis but does not disclose that PDF and announcement contents may be transmitted off-platform to those providers. This creates a real transparency and data-handling risk because users may unknowingly send potentially sensitive financial documents to external services with different retention, logging, or jurisdictional controls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code sends extracted PDF text to a third-party LLM service, potentially exposing sensitive financial or borrower data, yet there is no explicit consent gate, redaction step, or strong notice before transmission. In this skill's context, the PDFs appear to contain loan-transfer and borrower-related information, which makes external disclosure more privacy-sensitive than ordinary document processing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal