Security audit

Cashclaw Invoicer

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Stripe invoicing helper, but it can perform real financial actions such as refunds without a built-in confirmation step.

Review before installing. Use this only with a Stripe account you control, prefer restricted Stripe API keys where possible, and do not let an agent run refund commands automatically. Protect or periodically delete ~/.cashclaw ledger/dashboard files if they contain customer billing records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Description-Behavior Mismatch

Low

Confidence: 88% confidence
Finding: The skill instructs persistent local logging of payment and reminder events to ~/.cashclaw/ledger.jsonl without disclosing that customer billing metadata will be stored on disk. Even limited invoice metadata can expose business-sensitive and customer-related information if local files are over-permissive, synced, or accessed by other users/processes.

Description-Behavior Mismatch

Low

Confidence: 87% confidence
Finding: Updating ~/.cashclaw/dashboard.json with invoice IDs, mission IDs, amounts, statuses, and due dates creates another persistent local store of sensitive billing state that is not disclosed in the manifest. Undocumented persistence increases the chance that operators unknowingly expose financial records through backups, sync tools, shared machines, or lax file permissions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill directs logging of payment and reminder events to local files but provides no privacy notice, retention policy, or handling constraints for potentially sensitive billing records. This can lead to accidental collection and long-term storage of customer financial metadata without informed operator awareness or safeguards.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill includes live Stripe API calls that transmit customer email, name, invoice data, and payment metadata to a third party using a secret key, but it does not clearly warn operators about this data transfer. Lack of disclosure can cause unintentional sharing of customer billing data and weakens informed consent and compliance practices.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The refund command performs a real financial action immediately after argument parsing, with no confirmation prompt, dry-run mode, allowlist, or secondary approval. In an agent or automation context, this increases the chance of accidental or unauthorized refunds caused by mistaken input, prompt injection into tooling workflows, or operator error.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal