ClawHub

Credit Review Digital Employee

Security checks across malware telemetry and agentic risk

Overview

This credit-review skill is broadly related to its stated purpose, but it understates sensitive operational access, script execution, and long-term record keeping.

Install only in an environment where the operator intentionally grants bank-system, credit-report, customer-note, and audit-log permissions. Treat it as an operational financial workflow skill, not a documentation-only reference, and require explicit user approval and least-privilege access before using live customer or credit data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Scope Creep

High
Confidence
99% confidence
Finding
The manifest declares an offline, advisory-only skill with no executable code or tools, yet the body instructs running Python scripts, querying internal/external APIs, and saving notes/logs. This mismatch can bypass platform safety expectations and cause an agent or reviewer to trust a capability profile that materially understates the skill's operational reach.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The security notice claims no executable code is included, but the skill repeatedly directs execution of Python validation scripts. A deceptive safety notice reduces operator caution and can lead to unauthorized code execution in environments that believed the skill was documentation-only.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The notice says there are no network calls or credential-related access paths, yet the skill specifies extensive API, web, and credit-system queries involving sensitive business and credit data. This can mislead users and operators into permitting access to regulated data sources without appropriate scrutiny, gating, or compliance review.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The notice says there are no network calls or credential-related access paths, yet the skill specifies extensive API, web, and credit-system queries involving sensitive business and credit data. This can mislead users and operators into permitting access to regulated data sources without appropriate scrutiny, gating, or compliance review.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest presents the skill as educational/advisory-only, but the content defines production-style operational workflows that access systems of record, generate auditable artifacts, and persist customer notes. This creates a trust-boundary failure where deployment controls based on metadata may be too weak for the actual behavior described.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill requires broad note-saving and multi-year audit logging despite being declared educational/advisory-only. In this context, persistent storage is especially sensitive because the workflows handle customer identity, credit, litigation, collateral, and other regulated financial-risk information.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal