ClawHub

Just Fucking Cancel

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed subscription-audit helper, but users should be careful before enabling the optional Plaid bank-data integration.

Install this only if you want a subscription audit. Prefer CSV mode for local processing. If you enable Plaid, understand that bank transaction data may be pulled through Plaid and sent to Plaid's API, and consider narrowing or avoiding broad triggers like "save money" to reduce accidental activation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrase at this location is broad enough to match common user intent outside a narrowly scoped subscription-audit workflow, which can cause unintended invocation of a finance skill. In a skill that handles sensitive financial data, accidental triggering increases the chance of unnecessary exposure of transaction-analysis prompts or use of connected Plaid credentials.

Vague Triggers

Medium
Confidence
84% confidence
Finding
This trigger is vague and overlaps with many ordinary budgeting or personal-finance requests, making unintended activation plausible. Because the skill can process bank transaction data and optionally use Plaid-linked access, overly broad invocation expands the attack surface and can lead users into a sensitive workflow they did not explicitly request.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
89% confidence
Finding
The trigger 'save money' is highly generic and can collide with unrelated built-in commands or broad user requests, causing shadow activation. In a finance skill that may prompt for transaction uploads or use Plaid integration, such collisions increase the risk of confusing routing and unintended entry into a sensitive data-processing flow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal