ClawHub

财税公众号小助手

Security checks across malware telemetry and agentic risk

Overview

This is mostly a finance content-writing skill, but it bundles under-disclosed valuation and investment-advice workflows plus fragile command paths that users should review before use.

Install only after reviewing the command manifest and bundled guides. Fix the absolute Windows paths, remove or rotate the exposed Unsplash key, avoid the valuation/investment-advice guides unless you intentionally want that regulated workflow, and do not connect search, Coze, WeChat, databases, or conversion APIs with sensitive finance/tax/client data without explicit privacy and review controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code hard-codes an Unsplash API key directly in source, which exposes a live credential to anyone with file access or repository access. This can lead to credential theft, unauthorized API consumption, quota exhaustion, billing/abuse exposure, and makes secret rotation difficult.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The document defines a capability set that materially exceeds the declared skill purpose of generating finance/tax/audit public-account content. It introduces data ingestion, financial modeling, valuation, and investment-analysis workflows, which expands the trust boundary and enables high-stakes financial decision support without corresponding governance, suitability checks, or scope controls.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill includes explicit investment recommendations such as buy/add/hold/reduce/sell and target-price style outputs, despite the metadata describing a content-generation tool rather than an investment-advisory system. This is dangerous because users may rely on the agent for regulated, high-impact financial guidance without suitability assessment, compliance controls, or evidence that the system is authorized or safe for such use.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file’s documented behavior is materially different from the declared skill purpose. Instead of generating finance/tax public-account articles, it defines a financial forecasting, valuation, and investment-analysis workflow, which expands capability into sensitive financial decision support without transparent declaration or appropriate governance.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill includes explicit buy/hold/sell recommendations and investment advice, which is a high-sensitivity function not justified by a content-generation skill. This can mislead users about the system’s intended scope and cause unreviewed financial decision support to be deployed under a benign-looking label.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The workflow collects and persists company financial datasets even though the manifest presents the skill as article generation. This creates undeclared data-handling behavior and increases privacy, compliance, and abuse risk because users may provide proprietary or sensitive financial information without understanding it will be stored.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The document describes capabilities beyond simple finance-content generation by explicitly promoting web search and direct WeChat Official Account publishing/integration. This scope expansion increases the agent's operational reach from drafting text to external communication and platform integration, which can surprise deployers and create unintended data flow and action risks.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The system prompt instructs the bot to automatically perform daily web searches, which exceeds a plain content-generation role and introduces network access and untrusted external content into the workflow. Automatic search can pull in inaccurate, manipulated, or sensitive-query-bearing content without clear user intent or disclosure.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The guide includes direct publishing to a WeChat Official Account even though the stated purpose is content generation, moving the skill from advisory drafting into real-world content dissemination. That increases risk because generated or externally sourced material could be published to a public channel without adequate review, authorization controls, or transparency.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger examples include broad natural-language phrases like '帮我写一篇财税文章' and '我要写公众号内容', which are common requests that could appear in ordinary conversation. This can cause unintended skill activation, leading the agent to enter a specialized workflow or execute commands when the user did not explicitly intend to invoke this skill.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Several commands invoke generators with flags like '--save' or explicit '--output' filenames, but the user-facing descriptions do not clearly disclose that running them will write files to disk. This can lead to unintended local file creation, accidental overwrites, or silent persistence of generated content/reports in the working environment.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The image-generation commands take an '{article_path}' argument, which implies reading a local file, but the descriptions do not warn users that local content will be accessed. This can cause users to provide sensitive file paths without realizing the tool will ingest local data for further processing.

Missing User Warnings

High
Confidence
99% confidence
Finding
Using a hard-coded API key for outbound requests without clear disclosure compounds the credential exposure problem and enables silent third-party use under the developer's identity. If the key is abused, the operator may incur service disruption, quota exhaustion, or reputational and compliance issues.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document describes collecting, storing, and publishing workflows involving user-supplied financial data, but provides no privacy notice, consent flow, retention policy, or warning about public exposure. In this context, users could submit confidential company data and have it processed or exposed without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill recommends integrating third-party financial APIs but does not disclose that user queries, identifiers, or context may be transmitted externally. This is dangerous because financial analysis inputs may contain confidential company data, and silent third-party sharing can violate user expectations or compliance obligations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The third-party API workflow sends full article content to an external conversion service without any explicit privacy notice, consent step, or data classification guidance. Because the skill is designed for finance and tax content, generated text may include confidential business, audit, or tax information, making silent external transmission a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt directs the assistant to proactively perform online searches on first interaction, but it does not require clear user notice or consent before sending queries to an external search provider. This can expose user context or inferred interests to third parties and violates the principle of transparent tool use, especially in a finance-related workflow where prompts may contain sensitive business topics.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions tell users to bind and publish through WeChat Official Accounts without warning that prompts, article drafts, and metadata may transit or be stored by Coze and WeChat. In a finance/tax context, generated content may contain sensitive business, client, or regulatory information, making undisclosed third-party transmission a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document notes that Coze cloud saves conversation history but does not provide any user-facing warning, consent step, or handling guidance. For a finance-content assistant, conversations may include unpublished business plans, tax scenarios, or client details, so silent retention creates privacy, confidentiality, and regulatory exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to automatically perform network searches on first user entry, but does not require prior user consent or a clear disclosure that prompts may be sent to external search providers. This can expose user inputs, session context, or inferred interests to third-party services without the user's knowledge, which is a privacy and data-governance issue.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented 'automatic save' behavior indicates generated content will be persisted to an articles directory, but there is no disclosure, consent flow, retention policy, or description of what data is stored. If users include sensitive business, tax, audit, or client information in prompts, this could result in unintended retention of confidential data on disk or in downstream storage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal