ClawHub

Buildertrend

Security checks across malware telemetry and agentic risk

Overview

This Buildertrend skill is useful, but it needs Review because it can change accounting records and other workspace systems beyond the clearly stated browser-only Buildertrend scope.

Review before installing in a live business environment. Use it only if you are comfortable giving the agent browser control of a logged-in Buildertrend account and potentially letting it create or change financial records, sync items to QuickBooks, store project data in local memory/Drive/Reminders, and update other agent workspaces. Test on a non-production project first and require explicit confirmation for every external or accounting action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (121)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The playbook extends beyond Buildertrend bid-package automation by instructing the agent to write to local memory files and update Apple Reminders. That creates unnecessary cross-system data propagation and storage of project/vendor information outside the declared tool scope, increasing the chance of privacy leakage, unauthorized retention, or actions occurring in unrelated personal productivity systems.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The playbook directs the agent to notify other agents such as procurement and bookkeeping, introducing inter-agent data sharing and autonomous follow-on actions outside the immediate Buildertrend task. This broadens the trust boundary and can cause sensitive bid, vendor, and cost information to be relayed to components the user did not directly invoke or approve.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The playbook explicitly labels the workflow as read-only, but later includes state-changing actions such as fixing bills, changing sync settings, and pushing invoices into QuickBooks. This mismatch is dangerous because users or orchestrators may authorize the skill under the assumption that it only audits data, while it can actually alter accounting records and synchronization state.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as a reconciliation/check workflow, but the documented steps include operational repair actions, bulk pushes, and agent-driven record updates. That creates a scope-deception issue where downstream systems, reviewers, or users may permit the skill in low-risk contexts even though it can perform materially different, write-capable behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The playbook directs the agent to update Apple Reminders after completing Buildertrend portal configuration, which is a cross-system action unrelated to the core Buildertrend task. This expands the agent's authority into another application without clear user consent or business necessity, increasing the chance of unintended data propagation, privacy issues, or misuse of connected-system access.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The playbook materially exceeds the declared Buildertrend automation scope by instructing the agent to modify external services and multiple internal workspace files after job creation. This creates a dangerous cross-system side effect chain where a Buildertrend-triggered action can silently provision resources, alter agent memory/configuration, and notify other agents, increasing blast radius far beyond the user’s likely expectation.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill directs updates to several agent configuration and memory files unrelated to Buildertrend, including receipt routing, procurement matching, bookkeeping mappings, and workspace TOOLS/MEMORY documents. Allowing a user-facing Buildertrend workflow to mutate these files can corrupt downstream agent behavior, create persistence across systems, and enable unintended trust propagation into other automations.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill provisions Google Drive folders and Apple Reminders artifacts even though the skill is presented as Buildertrend automation. This mismatch expands access into external systems without clear justification, increasing the chance of over-privileged execution, accidental data disclosure, and user surprise about where project data is being replicated.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The playbook extends beyond Buildertrend automation by instructing the agent to write to local memory files, create Apple Reminders, and notify another agent. Those side effects can expose project and client data to unrelated systems, violate least-privilege boundaries, and trigger actions the user did not explicitly authorize as part of creating a change order.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The playbook directs the agent to update Apple Reminders after publishing a Buildertrend daily log, which is outside the stated Buildertrend-only scope and could modify a separate personal/productivity system without explicit, step-specific user approval. Cross-application side effects increase the chance of unintended data disclosure or unauthorized actions, especially because the post-creation section presents them as automatic follow-on tasks.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The instruction to write to `memory/YYYY-MM-DD.md` causes the agent to persist project information to a local file outside Buildertrend, creating an undocumented secondary datastore. That expands data exposure, retention, and scope beyond the user's apparent intent to create a Buildertrend daily log, and may store sensitive site/project details without consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The playbook instructs the agent to update Apple Reminders after invoice creation, which is an external system unrelated to the declared Buildertrend automation scope. This creates an unnecessary data flow of billing metadata into another service without any explicit user consent, increasing privacy and capability-creep risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The instruction to notify a separate bookkeeper agent extends execution beyond Buildertrend invoice automation into cross-agent data sharing. That broadens the trust boundary and can expose invoice and client financial data to another autonomous component without clear authorization or audit controls.

Context-Inappropriate Capability

Low
Confidence
94% confidence
Finding
Writing invoice details to daily memory introduces external persistence of financial activity that is not stated in the manifest. Even if limited to operational notes, it stores billing data outside Buildertrend and can accumulate sensitive business records without retention controls or user awareness.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The playbook’s stated scope is Buildertrend PO automation, but it instructs the agent to write PO details to a local memory file and update Apple Reminders after creation. That expands data handling beyond the user’s apparent task and can cause unnecessary persistence of financial/vendor information in external stores without clear consent, retention rules, or access controls.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The playbook directs the agent to notify procurement and bookkeeping agents, which extends the workflow beyond the declared Buildertrend automation boundary. Even if operationally useful, this creates unnecessary cross-agent data sharing and increases the attack surface by propagating PO details to additional systems or agents without explicit user approval.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The playbook explicitly asks the user for local Mac file paths and Google Drive links, expanding the agent's operating scope beyond Buildertrend browser automation into local filesystem and third-party storage access. This creates a risk of over-collection and unintended access to sensitive files, especially because document management content may include contracts, insurance documents, permits, and client materials.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The bulk upload flow instructs the agent to read files from a Mac folder path, which grants effective local filesystem reach unrelated to the stated Buildertrend-only automation purpose. In a bulk context, this is more dangerous because it can expose large sets of unrelated or sensitive files if the path is broad, mistaken, or manipulated.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The post-action step directs the agent to cross-file documents into Google Drive, an external system not disclosed in the skill description and separate from Buildertrend. Duplicating project documents into another repository increases data exposure, weakens data-boundary expectations, and may violate least-privilege or retention requirements for sensitive construction and client records.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The note about using Apify/SerpApi for Home Depot Pro pricing comparison introduces an external data-access/scraping capability that is outside the documented Buildertrend receipt-import workflow. Expanding scope to third-party pricing tools can lead to unnecessary data sharing, unreviewed external dependencies, and misuse of procurement information without explicit user consent or control.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The playbook handles sensitive financial/project-costing data and explicitly includes saving reports to Google Drive, which expands data flow beyond Buildertrend into external storage. That creates confidentiality and retention risk if Drive access, folder permissions, tenant boundaries, or sharing settings are not tightly controlled and user-approved.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The playbook instructs the agent to create follow-up reminders in Apple Reminders, which is an external system not established in the Buildertrend-focused skill scope. This creates a cross-application action path that may expose lead/contact data to another service and cause the agent to perform actions the user did not explicitly authorize within this skill's declared capabilities.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The playbook offers to email pipeline reports to the user even though email-sending capability is not established by the skill manifest. Emailing lead pipeline data can disclose sensitive business and personal information outside Buildertrend, increasing the risk of unintended sharing, delivery to the wrong recipient, or unreviewed exfiltration of customer data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The playbook directs the agent to write to daily memory, update Apple Reminders, and notify another agent after waiver actions, which extends behavior beyond Buildertrend into other systems. This creates unauthorized data propagation and side-effect risks because project/payment status may be recorded or shared without explicit user consent at the time of action.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
Referencing company-level lien waiver settings introduces a path for the agent to guide or potentially perform configuration changes outside the immediate task of tracking waivers. In a financial/compliance workflow, broad settings access can affect all jobs and weaken controls if changed inadvertently.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal