ClawHub

Budget Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a simple local budget tracker, but its documentation overstates some finance features and users should not rely on its monthly report accuracy.

Install only if you are comfortable storing income and expense notes locally at $HOME/.budget-tracker/ledger.json. Avoid entering secrets in transaction notes, and do not rely on the advertised monthly or budget features until the documentation or implementation is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill advertises local finance tracking but declares no permissions while invoking capabilities consistent with reading, writing, and potentially accessing environment data. In a finance context, undeclared file and environment access reduces transparency and can expose sensitive financial records or tokens if the implementation reads broader local data than users expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented behavior materially differs from the implemented behavior: promised multi-currency support, budget management, and monthly filtering are absent, while another feature is present but undocumented. For a personal finance skill, such mismatches can mislead users into making financial decisions from incomplete or incorrect reports, and hidden functionality undermines informed consent about what the skill actually does.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal