ClawHub

Bonds

Security checks across malware telemetry and agentic risk

Overview

The skill appears local-only, but it is advertised as bond analysis while actually acting mostly as a generic plaintext input logger for potentially sensitive financial data.

Install only if you want a local note/logging tool, not a real bond-analysis or portfolio-management tool. Avoid entering account numbers, credentials, or sensitive portfolio details, and review ~/.local/share/bonds because the skill stores entered data and history there in plaintext.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a bond portfolio manager, but the documented behavior looks like a generic input logger that stores arbitrary command inputs and activity history. In a finance context, this is dangerous because users may enter sensitive portfolio, account, or personal financial data under the assumption that the tool performs bond-specific analysis, while it instead broadly records and exposes that data through search, recent, export, and status-style commands.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented command set does not match the stated finance-specific purpose and instead resembles a general-purpose logger with vague operations. This increases the risk of misuse, overcollection of sensitive financial inputs, and user deception about what the tool actually does, especially in a domain where data sensitivity is high.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implementation materially diverges from the stated bond-management purpose and instead exposes a broad generic logging interface. This mismatch is dangerous because users may trust the skill with sensitive portfolio data under false pretenses, while the script simply captures arbitrary inputs and stores them persistently, increasing the chance of deceptive data collection or misuse.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The presence of unnecessary generic capabilities such as config, generate, preview, batch, and convert expands the skill surface beyond its stated fixed-income use case. In this context, unjustified extra functionality is risky because it can conceal data-harvesting behavior, confuse reviewers, and enable broader collection of arbitrary user-provided information than users would reasonably expect from a bond tool.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
Branding the script as a generic utility toolkit while advertising the skill as bond-specific is a transparency and trust violation. Although not an exploit by itself, this inconsistency makes the skill context more dangerous because users may disclose financial data believing the tool is purpose-limited when the code suggests broader intended use.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The documentation emphasizes offline use but does not clearly warn upfront that all actions and activity are automatically logged locally. In a personal-finance skill, silent or underemphasized logging can expose sensitive holdings, analysis inputs, and user activity to other local users, backups, or later exports.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script writes all user-supplied input directly to persistent log files under the user's home directory and also mirrors it into a history log, without consent, warning, minimization, or retention controls. In a bond-portfolio context, inputs may contain sensitive financial holdings, identifiers, or strategy notes, so silent persistence creates privacy and data-exposure risk if the local account, backups, or shared environment are accessed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal