ClawHub

Corporate Banker Digital Employee

Security checks across malware telemetry and agentic risk

Overview

This skill is a banking workflow guide, but it asks agents to access sensitive banking and credit systems while claiming it has no tools, network access, storage, or executable behavior.

Install only in a controlled banking environment with approved system connectors, role-based access, explicit customer/credit authorization, and documented retention controls. Do not rely on the manifest's no-tools/no-network/no-storage claims; treat the skill as requesting sensitive regulated data access and limited write/persistence authority.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The manifest and security notice claim the skill is advisory-only, non-executable, and lacks storage or network access, yet the body instructs internal/external API access, file reads, search/crawling, and audit-log generation. This mismatch is dangerous because downstream systems, reviewers, or agents may grant trust or reduced scrutiny based on false metadata while the skill actually handles sensitive banking workflows and data.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file states that no code or scripts are executed, but repeatedly instructs running validation scripts and even a direct Python command. In an agent setting, such instructions can cause unauthorized local code execution or create a false sense of safety around executable behavior, especially when paired with sensitive financial data handling.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The notice says there is no persistent storage, but multiple sections require saving visit notes and generating audit log files retained for years. This is dangerous because users and control systems may rely on the no-storage claim while the skill actually persists sensitive enterprise, personal, and credit-related records.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill claims there are no network calls or credential collection, but directs access to internal banking APIs, external platforms, crawler/search retrieval, and sensitive credit systems. This discrepancy can bypass trust assumptions and expose regulated data flows to systems that were told the skill is offline and non-collecting.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The skill directs collection and analysis of highly sensitive personal and credit-surveillance data, including legal representative credit reports, shareholder credit status, and hidden-associate identification, despite presenting itself as an educational/advisory skill with no tools. In a banking context this materially increases privacy, compliance, and abuse risk because it normalizes broad surveillance and correlation across sensitive sources without clear authorization boundaries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal