ClawHub

Ach Volume Estimator

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does ACH volume estimation, but it also uses sensitive Gmail data and bundles under-disclosed revenue forecasting and dashboard automation that need review before installation.

Review before installing. Only use this if the named Gmail account, ACH KPI emails, dashboard path/URL, local revenue calibration file, and recurring cron use are approved for this workflow. Confirm whether revenue forecasting belongs in this skill or should be split into a separate, explicitly scoped skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill performs sensitive operations—reading Gmail data, downloading attachments, writing files, and serving a dashboard—without declaring permissions or presenting clear scope boundaries. Undeclared capabilities make it harder for reviewers and users to understand what data the skill can access and where that data is persisted or exposed, which increases the risk of over-collection and unintended disclosure.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The skill is described as a monthly volume estimator, but it also generates and exposes a dashboard via a network-accessible URL. Adding publication/display functionality expands the attack and data-exposure surface beyond simple estimation, especially when the dashboard may contain operational metrics derived from private email attachments.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Dashboard generation/publication is not necessary to compute a monthly estimate and introduces extra file-write and exposure behavior. Because the source data comes from private KPI emails, unnecessary downstream publication increases the chance that sensitive business metrics are retained or exposed outside the intended audience.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements a monthly revenue calibration checker, while the declared skill is for ACH volume estimation from KPI emails. This capability mismatch is dangerous because it can cause the agent to access or process unrelated financial calibration data and produce actions outside the approved scope, which is a form of scope drift and can hide unauthorized behavior in a seemingly legitimate skill.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The module docstring explicitly describes a monthly revenue calibration workflow unrelated to ACH monthly volume estimation. In security-sensitive agent systems, misleading or mismatched documentation increases the chance that hidden or unintended functionality is deployed under the wrong approval boundary, leading to improper data handling and operator trust failures.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file materially expands the skill from ACH volume estimation into revenue forecasting, FBO income modeling, and SOFR-linked analysis. In an agent-skill context, hidden scope expansion is dangerous because it can cause the agent to process or infer sensitive financial projections beyond the declared purpose, violating least-privilege and surprising operators who expect only volume estimation behavior.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code performs outbound network access to fetch SOFR data from FRED, which is unrelated to the stated ACH KPI email estimation purpose. Unexpected egress increases attack surface, creates data-governance and dependency risks, and can bypass operator expectations that the skill operates only on local email/KPI inputs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow directly queries a specific Gmail account and downloads attachments containing business KPI data without any visible privacy warning, consent step, or handling guidance. This is dangerous because it processes potentially sensitive financial/operational information from a personal mailbox and stores copies locally, increasing the risk of unauthorized access, retention, or accidental disclosure.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal