ClawHub

Autonomous Procurement Agent

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real procurement parser, but it needs review because it exposes under-protected license data and includes high-impact approval automation with weak safeguards.

Install only in a controlled environment. Do not expose the webhook server publicly without adding authentication or network allowlisting for /license, never set PROCU_ALLOWED_TIER in production, keep OPENAI_API_KEY unset unless your organization permits quote data to be sent to OpenAI after redaction, and require human approval before any purchase order, payment, escalation, or order-locking action is accepted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documentation makes a strong safety claim that there is no bypass for webhook secret/signature validation, yet elsewhere documents `PROCU_ALLOWED_TIER` as a dev override that bypasses webhook signature checks. Contradictory security claims are dangerous because operators may deploy with false assumptions, and an accidentally enabled bypass could disable a core authenticity control for payment/license webhooks.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The middleware treats a Bearer token as merely a base64-encoded email address, which provides no authenticity, integrity, or proof of identity. Any caller can forge a token for another user's email and potentially inherit that user's licensed feature access, making this an authorization bypass rather than legitimate authentication.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The enterprise feature gate intentionally fails open on network or authorization errors, allowing restricted audit features to proceed whenever verification is unavailable. In a procurement and fraud-detection context, this can bypass licensing or control assumptions and may silently weaken security or compliance boundaries during outages or manipulated auth failures.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The async/sync wrapper comments contradict reality, and parseQuote calls callLLMStructuredExtract, which invokes callLLMSync that always throws. This creates a reliability and control-flow bug where LLM fallback is effectively broken, potentially causing silent downgrade to weaker parsing and inconsistent fraud detection on malformed or adversarial quote inputs.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The `/license` endpoint returns subscription tier, status, and feature entitlements for any supplied email address with no authentication or authorization. This enables account enumeration and disclosure of commercial/account metadata, which is especially sensitive in an enterprise procurement context where subscription level may reveal customer capabilities, internal tooling, or payment state.

Vague Triggers

Medium
Confidence
76% confidence
Finding
A very broad trigger list can cause the skill to activate during ordinary procurement conversations, leading to unintended parsing, local state changes, or external API usage if configured. In a multi-agent environment, overbroad activation increases the risk that sensitive business documents are processed or transmitted without deliberate user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The markdown describes starting a background webhook server and automatically writing license data to local files without prominent warning about persistent state changes. Hidden or poorly disclosed state mutation is risky because users may trigger network listeners and data storage unintentionally, expanding attack surface and leaving sensitive operational artifacts behind.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest presents broad procurement, fraud detection, approval, escalation, and payment-related capabilities without clearly constraining when the skill may be invoked or what actions require explicit user confirmation. In a finance/procurement context, ambiguous scope increases the chance the agent is used on sensitive documents or allowed to take action outside intended workflows, which can lead to unauthorized business actions or data handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest advertises automatic approval decisions, escalation emails, emergency alerts, and order locking without warning users that the skill can trigger consequential operational actions. In procurement and finance workflows, these behaviors can materially affect purchasing, vendor relations, and incident response if activated unexpectedly or on misparsed input.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states that quote emails and OCR scans may be processed by a GPT-4o fallback but does not disclose that sensitive supplier and pricing data could be transmitted to an external model provider. Because procurement documents commonly contain confidential commercial terms, this omission creates a meaningful privacy and data-governance risk.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes generic business phrases like 'procurement', 'compare vendors', and 'purchase order' that can cause the skill to activate in normal enterprise conversations unrelated to an intentional security-reviewed workflow. In this skill's context, unintended invocation is more dangerous because the agent handles procurement, vendor risk, payment-related integrations, and may process sensitive quote or invoice data, increasing the chance of unauthorized data exposure or unintended automation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest states that GPT-4o fallback and optional external API endpoints may be used, but it does not present a clear user-facing disclosure or explicit consent mechanism at the point where procurement documents, invoices, or quote data could be transmitted externally. This is especially risky for a finance/procurement skill because documents may contain confidential pricing, vendor identities, banking details, or commercially sensitive terms.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Sensitive procurement quote content may be sent to OpenAI automatically when the fallback is triggered, and the masking is heuristic and incomplete. Vendor data, pricing, PII, and potentially contract details can still leak externally without explicit user consent, disclosure, or policy enforcement, which is especially risky in enterprise finance workflows.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
"slug": "autonomous-procurement-agent",
  "tagline": "Zero-leak quote parsing with dual-engine AI. F1/F2/F3 fraud detection built in.",
  "shortDescription": "Enterprise procurement automation with hybrid dual-engine parsing (regex + GPT-4o), built-in F1/F2/F3 fraud detection, auto-escalation approval flows, Safety-Freeze circuit breakers, and Lemon Squeezy MoR payment.",
  "description": "The procurement agent that actually understands messy supplier quotes. Engine 1 (regex pipeline, ms response) handles structured JSON, HTML tables, and CSV. Engine 2 (GPT-4o LLM fallback) handles plain-text emails, OCR scans, and qty\u00d7price-on-same-line ambiguity.\n\n**Every result carries risk metadata:**\n- F1: unit_price \u00d7 quantity \u2260 line_total \u2192 calculation error detected, auto-block\n- F2: current price > historical avg \u00d7 1.20 \u2192 price spike flagged\n- F3: same vendor, same total, within 7 days \u2192 duplicate warning\n\n**Approval flow with Safety-Freeze:**\n- Under $10,000 limit: auto-approved instantly\n- Over limit: emails primary approver \u2192 5s timeout \u2192 escalates to backup\n- Both unreachable: Safety-Freeze + emergency alert + order locked\n\n**Lemon Squeezy MoR:** Global VAT/Sales Tax handled by LS. Payout via Payoneer/Wise/WorldFirst \u2014 no Stripe, no PayPal disputes.\n\n**Handles formats others can't:**\n- Email body: \"Servo motor SME-200: 8 units \u00d7 $2,800 = $22,400\" (qty and price on same line)\n- SAP-exported HTML with merged cells\n- Chinese RMB quotes auto-converted to USD\n- Multi-currency: CNY, EUR, GBP, JPY, AUD, CAD \u2192 normalized USD",
  "icon": "https://raw.githubusercontent.com/openclaw/clawhub/main/assets/procurement-icon.png",
  "iconBackground": "#E17055",
  "screenshots": [],
Confidence
96% confidence
Finding
auto-approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
"F3 duplicate detection: same vendor + same total within 7 days",
    "Every result: confidence_score, risk_score, anomaly_flags, risk_alerts",
    "Currency normalizer: CNY/RMB/EUR/GBP/JPY/AUD/CAD \u2192 USD",
    "Approval flow: auto-approve under limit \u2192 email primary \u2192 escalate backup \u2192 Safety-Freeze",
    "Safety-Freeze: both approvers unreachable \u2192 emergency alert + order locked",
    "Lemon Squeezy MoR: global VAT handled, payouts via Payoneer/Wise/WorldFirst",
    "Zero hardcoded keys: all secrets from process.env"
Confidence
95% confidence
Finding
auto-approve

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal