ClawHub

发票报销助手

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches invoice reimbursement management, but it handles financial records with under-disclosed external script loading and irreversible delete/overwrite behavior.

Install only if you are comfortable with a local invoice database that can be permanently changed or deleted by commands. Avoid opening generated reports with sensitive invoice data unless the CDN dependency is removed or replaced with a bundled local chart library, and treat --force/delete operations as irreversible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The manifest grants WebFetch and WebSearch even though the skill is documented as local-only and not requiring external services. For a finance-related skill handling invoice data, unnecessary network permissions materially expand the attack surface and create a path for sensitive invoice details to be exfiltrated or sent to third parties contrary to user expectations.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Allowing Bash gives the skill general shell execution capability that is broader than necessary for invoice entry, querying, and report generation. In the context of local financial data, shell access increases the risk of arbitrary command execution, unintended file access, and privilege abuse if later skill logic or prompts are compromised.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The security/privacy section states that data is local-only and not uploaded to cloud services, but the manifest permits network-capable tools. This contradiction is dangerous because it can mislead users into sharing invoices, seller and buyer identities, and reimbursement data under false privacy assumptions while the runtime still has the technical ability to transmit data externally.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The CLI help text says `--force` will only skip duplicate checking, but the implementation actually deletes any existing matching invoice before inserting the new one. This mismatch is dangerous because users or higher-level agents may invoke the flag expecting a non-destructive bypass and instead cause silent data loss and audit trail destruction.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases include broad natural-language expressions such as '帮我看看发票' and '报销报告', which may overlap with ordinary conversation and invoke the skill unexpectedly. While not directly enabling code execution, overbroad activation in a finance workflow can cause unintended handling of sensitive invoice data or accidental state-changing actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The forced-add path deletes existing invoice records automatically and without any confirmation, warning, or backup. In an expense reimbursement context, this can destroy financial records, erase evidence of prior submissions, and make fraudulent or accidental replacement of invoices easier.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The delete command permanently removes invoice records after only checking existence, with no confirmation or recovery mechanism. Because this skill manages reimbursement data, accidental or scripted misuse can lead to irreversible loss of accounting evidence and weaken traceability for audits or dispute resolution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal