ClawHub

Bank Transactions Connector - Europe (PSD2)

Security checks across malware telemetry and agentic risk

Overview

This skill matches its banking purpose, but it gives an agent broad access to sensitive financial records and account-changing actions without strong confirmation safeguards.

Install only if you trust FiBuKI and this agent environment with banking transactions, receipts, invoices, and partner data. Before using it, require explicit confirmation for source deletion, file uploads, transaction imports or edits, partner/category changes, and any bulk AI matching; revoke the API key when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger set includes very broad finance terms like "bank", "transaction", "receipt", and "invoice", which are likely to activate during ordinary conversations that do not clearly indicate the user intended to use this external banking integration. In this skill, accidental invocation is more dangerous than usual because the plugin operates on highly sensitive financial data and can initiate actions against an external service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill does not clearly warn users that banking, transaction, receipt, and partner data will be transmitted to FiBuKI over HTTP APIs. Because this connector handles regulated financial information under an external PSD2/Open Banking workflow, lack of upfront disclosure meaningfully increases the risk of uninformed consent, accidental oversharing, and privacy/compliance issues.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal