ClawHub

ZapYeti

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real ZapYeti debt-management helper, but it exposes broad financial-account API actions without enough limits or confirmation guidance.

Install only if you trust ZapYeti and can use a least-privilege API key. Treat read-only debt lookups as lower risk, but require explicit approval before logging payments, exporting data, deleting or changing records, connecting SimpleFin, posting social content, creating or deleting API keys, removing an account, or using any admin endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes shell-based helpers (`scripts/zy_api.sh`) and requires `curl`/`python3`, but no explicit permissions or user-safety constraints are declared. In a financial-data skill, undeclared shell capability increases risk because the agent may perform networked actions and data exports without clear consent or sandbox expectations.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documentation broadens the effective scope from debt tracking into social features, SimpleFin sync, and especially admin endpoints, which are outside the stated user-facing purpose. This creates a confused-deputy risk where the agent may access higher-risk or privileged APIs that users did not intend to authorize, particularly dangerous in a financial context.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documented API surface substantially exceeds the skill's stated debt-tracking purpose by exposing user management, social, API key, and admin capabilities. In an agent setting, overbroad documented capabilities increase the chance that the skill will be wired to invoke sensitive operations outside user intent, enabling privilege misuse, account changes, or access to unrelated data.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Admin endpoints are highly sensitive and are not justified by a normal end-user debt management skill. If the agent can access or even reason over these operations, a prompt injection, misbinding, or authorization mistake could trigger tenant-wide syncs, expose operational data, or perform actions against other users.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Social features are unrelated to the manifest's debt and payment-management purpose, yet they introduce new data-sharing and posting actions. In an agent context, unrelated social actions increase the risk of accidental disclosure of financial progress, unwanted posts, joins, reactions, or other privacy-invasive behaviors.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
API key management is a sensitive capability that is not necessary for ordinary debt tracking. Allowing an agent skill to create or delete API keys can enable long-lived credential issuance, credential destruction, or unauthorized persistence beyond the immediate user session.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation language is broad enough to trigger on ordinary conversations about debts, balances, payments, or plans, increasing the chance the skill is invoked when the user only wants general advice. Because the skill can query and modify real financial records, overbroad triggering materially raises the risk of unnecessary data access or unintended actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises payment logging and full data export without warnings about account modification, sensitive financial disclosures, or the need for explicit user confirmation. In a debt-management system, these operations can alter records or exfiltrate highly sensitive financial data, making silent or routine execution particularly dangerous.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The reference lists many destructive and sensitive operations such as deletes, account removal, profile changes, API key actions, and admin functions without any indication of confirmation requirements or risk boundaries. In an agent-integrated skill, lack of safety guidance increases the chance these actions are invoked automatically, misunderstood, or exposed without adequate user consent.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal