finance-ethnographer

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned but should be reviewed because it persistently monitors broad local chat transcripts and stores user-derived finance snippets in the background.

Install only if you explicitly want background monitoring of OpenClaw session transcripts for finance UX research. Before running setup_cron.py, review the cron entries, understand that raw local observations and unredacted reports may contain sensitive text, and use setup_cron.py --remove plus deletion of generated data if you no longer want monitoring.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill declares no explicit permissions while instructing the agent to read session transcript files, write logs and reports, and execute shell/Python commands. This mismatch undermines informed consent and security controls because a user or platform may treat the skill as less privileged than it actually is.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The skill description presents the behavior as passive and local, but the content shows broader actions: installing persistent cron jobs, scanning all agent session files under ~/.openclaw/agents, and facilitating later sharing of derived reports. This description-behavior gap is dangerous because it conceals persistent surveillance and system modification behind a softer UX-research framing.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The script writes unredacted finance observation reports to disk before attempting redaction, and if redaction fails it leaves those sensitive files in place while only emitting a warning. In a workflow handling transcripts and possible PII, this creates a real data exposure risk because operators may assume redaction occurred or may access, sync, or share the wrong files.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script persists raw user-derived content in multiple fields, including notable_quotes, what_user_tried, and session_key, without any actual PII redaction step. Because it continuously monitors finance-related sessions, these stored observations can contain account details, names, emails, transaction context, or other sensitive financial information, directly contradicting the skill’s stated privacy guarantees.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: build_summary embeds the first user message directly into the persisted observation, truncated but otherwise unredacted. In an always-on finance monitoring context, even short excerpts can expose sensitive financial or personal data, and the mismatch between the manifest claim and implementation increases the risk of unsafe operator trust and improper handling.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The installer modifies the user's crontab to create persistent scheduled execution, which is a persistence mechanism. In the context of an always-on observer processing session transcripts, this increases security and privacy risk because code will continue running autonomously after installation, potentially without ongoing user awareness.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill metadata claims 'Nothing leaves the machine automatically,' but the code installs autonomous recurring jobs that run without user initiation. Even if data is not exfiltrated, automatic background execution materially changes the trust model and can mislead users about how continuously and silently the skill operates.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill describes always-on observation of session transcripts while also instructing the agent not to proactively announce that monitoring is occurring. Ongoing background monitoring without a prominent user-facing warning reduces meaningful consent and increases the chance that sensitive financial discussions are collected unexpectedly.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: This taxonomy contains broad consumer-finance terms that can match ordinary conversation and cause over-classification of transcripts as finance-related. In an always-on observer skill, that increases unnecessary monitoring scope and can pull unrelated user content into reports, undermining the claim of narrowly targeted collection even if data does not leave the machine automatically.

Vague Triggers

Medium

Confidence: 97% confidence
Finding: The scenario_planning entries include extremely generic phrases such as 'what if' and 'hypothetical' that are common in everyday dialogue and will generate many false positives. Because this skill silently observes transcripts every 30 minutes, these triggers can substantially broaden surveillance and daily reporting beyond finance contexts, increasing privacy risk and potentially capturing sensitive non-financial discussions.

Session Persistence

Medium

Category: Rogue Agent
Content: ```bash # Check cron jobs are registered crontab -l | grep finance-ux-observer # Check today's observations cat ~/.openclaw/skills/finance-ux-observer/data/observations/$(date +%Y-%m-%d).jsonl
Confidence: 91% confidence
Finding: crontab -l

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal