ClawHub

Eternal Expense Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a local expense tracker whose sensitive financial data handling is disclosed and matches its purpose, with privacy precautions users should understand.

Install only if you are comfortable storing receipt and bank-statement-derived transaction data locally under ~/.expense-tracker/. Treat that directory and any exported CSVs as private financial records, avoid importing unnecessary sensitive fields, and delete or protect the files when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes broad, common phrases such as "track expenses," "budget tracker," and especially "where did my money go," which can match ordinary conversation and cause unintended invocation. In a skill that processes sensitive financial information, accidental activation increases the chance of exposing receipts, bank statements, or spending data to the wrong workflow without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill handles highly sensitive financial data including receipts, bank statements, merchant history, and budgets, and it explicitly stores that data under a persistent directory in the user's home folder. Without an explicit privacy warning, retention notice, and guidance on handling sensitive inputs, users may unknowingly import or persist confidential financial records, increasing privacy, compliance, and local data-exposure risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal