ClawHub
Back to skill

Security audit

Journey to First Million

Security checks across malware telemetry and agentic risk

Overview

This finance-tracking skill is not malicious, but it should be reviewed because it stores sensitive money records persistently while its project-local scope wording is inconsistent.

Install only if you are comfortable with the skill keeping income, expense, notes, and budget history in ~/.openclaw/workspace/first-million/. Use explicit wording when you want it to log or change records, and inspect or remove the ledger.json and budget.json files yourself if you no longer want that data retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill advertises a project-local-only scope, but its documented behavior persists financial data under the user's home-directory workspace. That mismatch can mislead users and orchestrators about where sensitive personal finance data is stored, weakening consent and trust boundaries even without network exfiltration.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest claims project-local-only operation, yet the skill reads and writes persistent ledger and budget files in ~/.openclaw/workspace/first-million/. For a finance skill handling sensitive spending and income records, this is a material scope-declaration violation that can cause unauthorized persistence beyond what the user expects.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to capture many ordinary finance conversations, causing the skill to activate in contexts where the user may only want advice rather than persistent transaction logging or budget changes. Because the skill can write financial records, overbroad activation increases the chance of unintended data creation or modification.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Generic common-request phrases like saving tips, budgeting help, and progress questions lack clear boundaries separating informational advice from state-changing operations. In a finance skill with persistent storage, ambiguous routing can lead to unintended recording, budget changes, or premature use of personal financial context.

Session Persistence

Medium
Category
Rogue Agent
Content
## Scope & safety

- **Data:** Ledger and budget data are stored in OpenClaw workspace: `~/.openclaw/workspace/first-million/` (`ledger.json`, `budget.json`). Scripts read and write only these files; no network or credentials.
- **Scripts:** Only the three project scripts under `scripts/` are used; no shell pipelines, no remote fetches, no credentials.
- **References:** Only project Markdown files under `references/` are read. No external URLs or APIs.
Confidence
94% confidence
Finding
write only these files; no network or credentials. - **Scripts:** Only the three project scripts under `scripts/` are used; no shell pipelines, no remote fetches, no credentials. - **References:** Onl

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.