ClawHub

Bank Statement Converter

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it sends highly sensitive bank statements and optional PDF passwords to an external service, with incomplete metadata disclosure around the required API key.

Review the provider’s privacy, retention, and compliance posture before using real bank statements. Use test files first, avoid reused passwords, prefer a limited or disposable API key if possible, and do not use this skill for client, regulated, or high-risk financial records unless the external processing arrangement is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs users to upload bank statements to a third-party service, which necessarily transmits highly sensitive financial data off-system. The absence of any warning, data handling disclosure, retention policy, or guidance to verify regulatory/privacy requirements increases the risk of unintended disclosure of account numbers, balances, transactions, and other personal financial information.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill tells users to send PDF passwords to the external API, which transmits a sensitive secret to a third party without any warning or trust-boundary explanation. This is dangerous because document passwords may protect financial records and may be reused elsewhere, so disclosure to an external service materially increases compromise risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal