ClawHub

Central de Deudores BCRA

Security checks across malware telemetry and agentic risk

Overview

The skill is instruction-only and purpose-aligned, but it enables lookup and display of sensitive credit/debt information by tax ID without clear consent or lawful-use guardrails.

Review before installing. Use this skill only for your own records or clearly authorized business/legal workflows, verify the CUIT/CUIL/CDI before querying, avoid sharing results unnecessarily, and prefer the official BCRA API over the optional third-party UI unless you intentionally want to use that site.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill is explicitly designed to retrieve and present a person's or company's credit and debt status using a national identifier, which is highly sensitive financial personal data. Without any warning, consent requirement, authorization check, or privacy handling guidance, the skill can facilitate unauthorized lookups, profiling, or disclosure of regulated financial information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The OpenAPI spec exposes endpoints that retrieve sensitive financial and credit-status data using only a personal or corporate tax identifier (CUIT/CUIL/CDI), and the skill description explicitly encourages use for checking an individual's or company's debt situation. Even if the upstream BCRA API is public or authorized, the skill lacks any visible consent, authorization, purpose-limitation, or privacy-warning controls, creating a real risk of privacy abuse, unauthorized profiling, and disclosure of sensitive financial information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal