ClawHub
Back to skill
v1.0.0

Fintech Customer Support

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:20 AM.

Analysis

The skill is coherent for fintech support, but it needs careful review because it can access and change sensitive money-transfer data, stores customer records, and sends customer messages to an external LLM despite a privacy claim saying otherwise.

GuidanceReview before installing. This skill should only be deployed in an authenticated support environment with a least-privileged transfer API key, explicit approval for refunds/recalls/disputes, clear disclosure of the OpenAI data flow, retention controls for local customer memory, and validation of customer IDs used in file paths.

Findings (8)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
handlers.py
result = api_post(f"/transfers/{ref}/recall", {"reason": "customer_request"})

The refund handler can make a POST request that attempts to recall a pending money transfer. The visible workflow does not require a separate human approval or explicit final customer confirmation before this high-impact action.

User impactThe agent could cancel or alter a financial transfer based on a support message and extracted reference.
RecommendationRequire explicit confirmation and/or human approval before recall or dispute actions, validate the transfer belongs to the authenticated customer, and make these actions reversible or auditable where possible.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
handlers.py
path = MEMORY_DIR / f"{customer_id}.json"
...
path.write_text(json.dumps(existing, indent=2))

Customer IDs are used directly in local file paths for persistent memory without visible sanitization or path normalization, creating a path-traversal/unsafe-write risk if a crafted customer_id is accepted.

User impactA malicious or malformed customer identifier could cause the skill to write JSON outside the intended support-memory directory under the agent user's permissions.
RecommendationValidate customer_id against a strict safe pattern, reject path separators and absolute paths, and resolve/check that the final path stays inside the intended memory directory.
Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
README.md
No data leaves your machine except via your own API and webhook

This privacy claim is materially misleading because the provided triage code sends customer messages to OpenAI's chat completions API when LLM_API_KEY is set.

User impactAn installer may believe customer data only goes to their own backend and webhook, while the skill also sends messages to a third-party LLM provider.
RecommendationCorrect the README and setup documentation to describe all external destinations, including OpenAI, and explain what data is sent.
Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
Every Monday at 08:00 (local gateway time), run:
  `python3 handlers.py weekly_digest`

Send the digest to the SUPPORT_EMAIL address via the gateway mail tool.

The skill includes a recurring scheduled operation that sends an operational digest. This is disclosed and support-related, but it is autonomous recurring behavior after installation.

User impactThe agent may continue sending weekly support summaries without a human initiating each run.
RecommendationMake the scheduled digest opt-in, document how to disable it, and ensure the digest does not include unnecessary customer-identifying information.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
install spec
uv | package: fintech-support-agent

Installation uses an external package name via uv, while the evaluation metadata lists the source as unknown. This is common for package installs but still a provenance item to verify.

User impactA user is trusting the package source and whatever version uv resolves at install time.
RecommendationInstall from a verified publisher, pin an exact version or hash where possible, and compare the installed package contents with the reviewed files.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
You have access to live transaction data, account status... Run `python3 handlers.py transfer_status --customer-id <id> --ref <ref>`... ask: "Could you share the transaction reference or the email address on your account? I'll pull it up immediately."

The skill is intended to access sensitive financial/customer account data, but the artifacts do not show a customer authentication or authorization check before using identifiers from a message or memory to retrieve account and transfer details.

User impactSomeone with limited identifiers such as a transaction reference, email address, or customer ID could potentially cause the agent to reveal sensitive transfer or account information.
RecommendationUse this only behind an authenticated support channel, require identity verification before lookups, and scope the transfer API key to the minimum endpoints and records needed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusConcern
triage.py
"https://api.openai.com/v1/chat/completions" ... {"role": "user", "content": message}

The classifier sends the full customer message to an external LLM provider. In a fintech support context, those messages may contain personal, account, transfer, or complaint details.

User impactCustomer support messages may leave the local environment and be processed by OpenAI, which may be inappropriate without disclosure, consent, or a data-processing agreement.
RecommendationClearly disclose the external LLM data flow, redact sensitive identifiers before classification where possible, and allow deployments to use an approved in-house or privacy-reviewed model endpoint.
Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
SKILL.md
After every interaction, write the following to customer memory:
- Customer ID (if identified)
- Issue type
- Resolution or escalation outcome
- Timestamp

Persistent customer memory is disclosed and purpose-aligned, but it stores support history for reuse across future conversations and contains fintech customer context.

User impactCustomer support history may remain on disk and influence later responses unless retention, deletion, and access controls are defined.
RecommendationDefine retention and deletion rules, avoid storing unnecessary identifiers, protect the memory directory, and ensure memory is only reused for the correct authenticated customer.