ClawHub

Fapiao Clipper

Security checks across malware telemetry and agentic risk

Overview

This invoice tool is mostly legitimate, but it can access email, follow links from messages, and store sensitive credentials and invoice data with weak disclosure and controls.

Install only after reviewing the email and network features. Prefer a dedicated mailbox or restricted folder, disable or avoid automatic email-link following, do not expose the Web UI publicly without access controls, and protect config.yaml because it may contain mailbox or API credentials in plaintext.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises no declared permissions, yet its documented behavior and detected capabilities include shell execution, file read/write, environment access, and network use. In an agent platform, undeclared capabilities reduce user visibility and consent, making it easier for the skill to access local invoice data, credentials, or external resources in ways the operator did not explicitly approve.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose centers on local invoice OCR and reimbursement management, but the broader behavior includes IMAP mailbox access, downloading attachments and URLs from email content, syncing blacklist data from external sources, and additional batch-style operations not clearly disclosed. This mismatch is dangerous because users may trust it as a local-only document tool while it actually performs network retrieval and data ingestion from untrusted sources, expanding the attack surface to credential exposure, malicious file intake, and unintended outbound connections.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The example configuration introduces optional email monitoring and link-following behavior that materially expands the tool's capability beyond local invoice parsing. This increases attack surface because invoice-related emails can contain malicious or tracking links, and users may enable these features without understanding that the tool is no longer purely local.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Automatically following links from monitored email is a high-risk capability that is not necessary for invoice recognition itself. If implemented, it can trigger requests to attacker-controlled URLs, enabling phishing pivoting, tracking, SSRF-like behavior, or retrieval of malicious content under the guise of invoice processing.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The code scans email bodies for links, then automatically fetches and saves remote content. That expands the trust boundary from local invoice processing to arbitrary external network interaction driven by untrusted email content, which can expose the host to SSRF-like access, tracking, and unintended data flows. In the context of a tool marketed as local invoice processing, this behavior is more risky because users may not expect email-derived URLs to be contacted automatically.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The downloader follows redirects and recursively retrieves PDF/form targets extracted from HTML, allowing email content to steer multiple outbound requests. Because the URL extraction and invoice detection logic are broad keyword/path heuristics, an attacker can craft messages that trigger requests to attacker-controlled or internal endpoints, increasing SSRF and unwanted network access risk.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The setup wizard introduces IMAP mailbox monitoring and automatic link-following/download behavior, which materially expands the tool's trust boundary beyond local invoice processing into network-connected ingestion of external content. In this context, that increases exposure to phishing links, malicious downloads, and unintended access to email data, especially because the skill metadata emphasizes local invoice recognition rather than mailbox automation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Advertising automatic email scanning and attachment download without an explicit warning or consent notice creates a real privacy and security risk. Users may not realize the skill can access mailbox contents and pull files locally, increasing the chance of overbroad mailbox access, unintended collection of sensitive data, or unsafe downloading of malicious attachments.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The intent examples are broad phrases such as '扫描发票', '整理邮箱', and '列出所有', which can overlap with ordinary conversation and may cause an agent to invoke file scanning, mailbox processing, exports, or record modifications unintentionally. In a skill that can read databases, process local documents, and potentially access email-related workflows, accidental triggering can expose sensitive financial data or cause unintended state changes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The email monitoring block includes automatic link-following but provides no warning about the associated phishing, tracking, and remote content risks. In a finance/invoice workflow, users may process untrusted sender content, so missing warnings make unsafe enablement more likely.

Missing User Warnings

High
Confidence
94% confidence
Finding
The code makes outbound HTTP requests to URLs extracted from untrusted email bodies without an explicit disclosure or consent flow. This can leak that the mailbox was opened, trigger requests to malicious infrastructure, and cause access to sensitive internal services if the host has network reachability the attacker does not.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The engine base64-encodes invoice images and sends them to a configurable HTTP endpoint via `/api/chat`. Invoices commonly contain sensitive personal and financial data, so transmitting them over plaintext HTTP or to an unexpected remote host can expose confidential information to interception or unauthorized processing. The skill context increases the seriousness because the data being handled is inherently sensitive expense and tax documentation.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
When no invoice ID is supplied, the command verifies all unchecked invoices, which can trigger broad external lookups without a clear user-facing warning about network access or the volume of data involved. In an invoice-processing context, this may expose sensitive invoice metadata to third-party verification services and cause unintended bulk transmission.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The blacklist sync command performs a network synchronization operation with no visible warning, consent prompt, or disclosure of what data is fetched or possibly transmitted. In a financial document tool, silent external syncing increases privacy and supply-chain risk because users may not expect network activity from a reimbursement workflow.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The wizard collects an email username and app-specific password, then interpolates them directly into config.yaml in plaintext without warning the user. Plaintext credential storage is dangerous because any local user, backup system, sync service, or accidental file disclosure can expose mailbox access and enable broader account compromise.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script writes the generated configuration file, which may contain sensitive fields such as email credentials or API keys, without clearly disclosing beforehand what exact secrets will be persisted to disk. That reduces informed consent and increases the chance that users unknowingly leave sensitive data stored in an insecure location.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal