ClawHub

SimpleFIN Bank Connection

Security checks across malware telemetry and agentic risk

Overview

This banking skill is purpose-aligned, but it needs review because it stores reusable bank-access credentials in plaintext and runs shell-built curl commands with sensitive URLs.

Review before installing. Only use this if you trust the publisher and are comfortable giving the agent access to SimpleFIN-connected bank balances and transactions. Prefer a version that uses a secret store, validates SimpleFIN HTTPS URLs, avoids shell-built curl commands, redacts credentials from errors, and explains how to delete or revoke the saved Access URL.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill invokes shell commands (`node scripts/simplefin_api.js ...`) to process sensitive banking credentials and fetch financial data, but the skill declares no corresponding permissions or trust boundary. Undeclared shell capability increases the risk of users or platform operators not understanding that local command execution will occur with access to secrets and financial data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill tells the agent to persist a credential-bearing Access URL of the form `https://username:password@...` into `memory/simplefin_url.txt`, which stores bank-access credentials in plaintext on disk. If the workspace, logs, backups, or other local tools are accessed by another process or user, the stored URL could be reused to retrieve account balances and transaction history without the user's consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code builds shell commands with untrusted values derived from the access URL and setup token flow, then executes them with execSync. Because credentials are embedded in URLs and the final curl command is assembled as a string, a maliciously crafted URL could trigger command injection or cause sensitive banking credentials to be exposed through process arguments, logs, or error reporting; in this financial-data context, that materially increases the risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal