ClawHub

Credit

Security checks across malware telemetry and agentic risk

Overview

This is an advice-only credit guidance skill, but users should avoid sharing unnecessary personal financial details with it.

Use this skill for education and planning, not as a secure financial-record vault. Share approximate balances, utilization percentages, dates, and generalized facts when possible; redact SSNs, full account numbers, report IDs, addresses, lender-specific identifiers, and legal or fraud documents. For disputes, identity theft, freezes, or major borrowing decisions, confirm actions with official bureaus, lenders, or a qualified professional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example prompts encourage users to disclose sensitive credit and financial details, such as utilization by card and credit-report issues, without any caution to minimize, redact, or avoid sharing personally identifying account data. In a financial-advice skill, this creates a realistic risk of oversharing data that could expose private financial information to logging, retention, or downstream systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Requesting current balances in a pre-mortgage context invites disclosure of highly sensitive financial information at a time when users may be especially motivated to comply. Because the skill is specifically about credit optimization, the context makes the prompt more likely to elicit detailed real-world data, increasing privacy and data-handling risk if the conversation is stored or exposed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill prompts users to paste detailed financial, credit, and identity-theft information into the agent without any warning to minimize or redact sensitive data. In a financial-assistance context this increases the chance users will disclose account details, balances, creditor names, dispute facts, or identity-theft indicators that could be stored, logged, or mishandled by downstream systems.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list contains many broad, common finance terms such as 'credit card', 'debt', 'mortgage credit', and bureau names, which can cause the skill to activate during ordinary financial conversations that are not actually requesting this skill. This is not directly exploitable as code execution, but it can lead to unintended routing, over-collection of sensitive financial context, and reduced reliability of agent behavior.

VirusTotal

45/45 vendors flagged this skill as clean.

View on VirusTotal