ClawHub

Accounting Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent local accounting OCR tool, but its documented batch workflow can execute attacker-controlled shell commands through `eval`.

Review before installing. Do not use the README batch snippet with `eval`, especially on files from vendors, email attachments, shared drives, or other untrusted sources. Use `--classify-only` or route by the returned document type with fixed script calls and quoted arguments. Store generated Excel and JSON files only in protected locations, and use `--dry-run` when you do not want persistent outputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The README's batch-processing example takes a `.command` field produced by the classifier and executes it with `eval`, which enables shell injection if that field is influenced by file names, document contents, or future classifier logic. In this skill's context, users are expected to process untrusted external accounting documents in bulk, so turning classifier output into evaluated shell code creates a realistic path to arbitrary command execution on the operator's machine.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README describes storing extracted invoice, purchase order, and bank statement data into Excel and JSON files but does not warn that these outputs contain sensitive financial and personal/business information. This omission can lead users to write regulated or confidential accounting data to insecure locations, sync folders, or shared workspaces without understanding the privacy and retention risks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The batch-processing example normalizes unsafe behavior by recommending `eval` on generated commands without any warning about shell execution risks. Because this skill is specifically designed to classify and process untrusted document sets, the missing warning materially increases the chance that users will adopt an injection-prone workflow and execute attacker-controlled payloads.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation text is broad enough to match generic accounting-related requests, which can cause the agent to trigger this skill outside the intended document-extraction workflow. Because the skill performs OCR, shell execution, classification, and file output, overbroad routing increases the chance of handling sensitive financial documents or writing artifacts when the user did not intend to invoke this workflow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill description explains extraction behavior but does not prominently warn that processed accounting data will be written to Excel files and JSON backups. Since invoices and bank statements often contain highly sensitive financial and personal data, silent persistence to disk can create confidentiality, retention, and compliance risks if users expect transient processing only.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal