Back to skill

Security audit

Fin Audit Automator

Security checks across malware telemetry and agentic risk

Overview

This financial-audit skill appears to be a local helper, but it overstates security and validation guarantees that the code does not enforce.

Install only if you treat this as a demo or basic local script. Do not rely on its sandbox, network isolation, tamper-proof logging, data masking, or invoice OCR claims for real regulated financial data unless the publisher replaces the mock validation and documents enforceable privacy, retention, and security controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The function is documented as validating invoice compliance from an image, but it ignores the actual image content and always validates fixed mock OCR text. In a production or agent context, this can cause false approvals or false rejections because untrusted real-world documents are never actually analyzed, creating an integrity failure in compliance checking.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The private helper accepts an input file path but never reads or processes it, instead returning one constant invoice body every time. This makes downstream validation results detached from user input, allowing any submitted invoice image to appear as the same benign sample invoice and undermining trust in the validation workflow.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The docstring for secure_execute claims it disables network access except whitelisted internal networks, disables system command execution, and provides memory data protection, but the implementation only clears proxy-related environment variables before calling an arbitrary function. This creates a dangerous false sense of security: callers may run untrusted code believing it is sandboxed when it still has full access to sockets, subprocesses, filesystem, imports, and process memory.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The module and class are presented as a 'security sandbox', but the only restriction applied is resetting HTTP(S) proxy environment variables, which does not meaningfully sandbox code execution. Untrusted or risky functions executed through this wrapper can still perform direct network access, spawn processes, read files, mutate global state, and exfiltrate data, so the naming materially misrepresents the protection boundary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill persists audit logs and per-user trial data under ~/.openclaw without any consent, disclosure, retention policy, or minimization. Because it records user identifiers and request metadata to disk automatically, it creates a privacy and compliance risk if the host is shared, compromised, or subject to data-handling requirements.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.