finance-ethnographer 2

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed research logger, but it needs review because it persistently records broad OpenClaw usage and creates finance-related scores and hypothesis reports.

Install only if you intentionally want ongoing UX research logging of your OpenClaw activity, including non-finance usage by default and finance-related profiling. Keep retention low, disable general usage logging if available, review every report before sending or exporting, verify the recipient before email approval, and use pause, stop, or delete controls whenever you do not want activity recorded.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 83% confidence
Finding: The skill promises participant review before sharing, but the "Export sanitized log" command can disclose all sanitized reports in bulk without a per-report review/approval step. In a privacy-sensitive ethnography skill, even sanitized historical reports may still reveal behavioral patterns or residual sensitive context, so bypassing the normal review gate weakens consent and disclosure controls.

Intent-Code Divergence

High

Confidence: 94% confidence
Finding: The skill contains contradictory privacy instructions: it says PII handling/scrubbing is exclusively delegated to the Sanitizer, yet it also tells the Ethnographer to abstract sensitive values before logging. This ambiguity can cause the primary agent to mishandle sensitive data, either by retaining raw values in events or by performing inconsistent ad hoc redaction outside the designated privacy boundary.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The example output directly includes a "Sanitized Interpretation Report" with behavioral patterns, signals, friction points, opportunities, and open questions, which are clearly inferential profiling outputs rather than raw observation logs. In a privacy-first ethnography skill handling personal-finance-adjacent activity, this creates a meaningful privacy and compliance risk because it transforms observed actions into higher-sensitivity derived data that may reveal habits, priorities, and financial posture, and the participant is then prompted to share that analysis with a research team.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The file claims "All content is sanitized. No raw values appear," but the example still exposes structured metadata such as pulse IDs, document/file IDs, exact timestamps, artifact titles, feature names, tags, and observation identifiers. Even without direct PII, these fields can act as quasi-identifiers or linkage points that enable correlation across systems, re-identification, or disclosure of sensitive research context, especially in a personal-finance setting.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The schema allows `log_general_usage` to default to `true`, which explicitly permits collection of all OpenClaw usage rather than limiting data collection to personal-finance-relevant events. In a privacy-first ethnography skill, this creates a data-minimization failure and expands behavioral surveillance beyond the stated scope, increasing privacy and consent risk even if later sharing is reviewed and sanitized.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The test plan introduces PF classification, relevance scoring, and risk sensitivity tagging, which goes beyond the declared 'observe and log structured behavioral events (no inference)' scope. In a privacy-first ethnography skill, adding inference/classification expands processing of sensitive financial behavior and creates a mismatch between documented user expectations and actual behavior.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The documented ability to email sanitized reports to a configured recipient extends the skill from local observation/review into external data transmission. Even if sanitized, exporting behavioral finance-related reports off-device materially changes the privacy posture and increases the chance of unintended disclosure, especially if users interpret the skill as review-only.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The skill is described as auto-invoked to observe and log behavior over time, but the trigger conditions are not narrowly constrained in the metadata-facing description. For a surveillance-like research skill handling personal-finance-adjacent activity, broad invocation increases the risk of collecting data outside the user's expected scope or before meaningful consent/state checks are enforced.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The test plan expects silent local state updates and no-op report logging during no-event pulses without any explicit user-facing notice. In a privacy-first research context, undisclosed persistence changes can undermine user consent expectations and make retention/processing less transparent, even if the data written is limited.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The email-send flow lacks an explicit warning that sanitized reports are being transmitted off-device, which is especially sensitive for personal-finance ethnography data. Users may approve sending without understanding that external transmission creates additional exposure, persistence, and recipient-side handling risks outside the local privacy boundary.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal