ClawHub

Credit Risk Manager Digital Employee

Security checks across malware telemetry and agentic risk

Overview

This skill is a banking risk workflow that handles sensitive credit data, internal APIs, scripts, and long-term audit logs despite presenting itself as tool-free and non-persistent.

Review before installing. Use this only in an approved banking environment with explicit permission to process credit reports, bank statements, customer records, and internal system data. Do not rely on the manifest's empty tool list or no-storage claim; require a corrected manifest, documented API/file/search permissions, redaction rules, audit-log access controls, encryption, and retention policy before operational use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill claims there is no persistent storage, but Module 1 later requires generating audit logs and retaining them for 3 years. This contradiction can mislead reviewers and users about actual data handling, causing sensitive banking workflow data to be stored without transparent consent or proper control assumptions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The security notice states the skill will not automatically access or process business data or PII, yet the workflow explicitly reads uploaded credit reports, extracts enterprise data, and processes sensitive risk information. This is dangerous because operators may trust the false privacy claim and submit regulated data under incorrect assumptions.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The manifest presents the skill as advisory-only, no-executable-code, and tool-free, but the body defines operational workflows using APIs, web search, file reads, validation scripts, and persisted audit outputs. This mismatch defeats security gating based on manifest metadata and may cause an execution environment to authorize a skill under materially false assumptions.

Scope Creep

High
Confidence
99% confidence
Finding
The manifest sets allowed-tools to an empty list, but multiple modules require external search, APIs, system interfaces, file access, and script execution. This inconsistency is dangerous because it obscures the true privilege requirements and can bypass human or automated review processes that rely on manifest declarations.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The capability metadata frames the skill as educational/advisory, but the content directs direct interaction with internal banking systems, monitoring operations, reporting, and multi-year audit retention. In a banking context, this broadens the effective authority of the skill and increases the chance of unsafe deployment into sensitive environments without appropriate approval and controls.

Ssd 3

Medium
Confidence
96% confidence
Finding
The audit trail requirements direct persistent logging of customer-specific and user-provided sensitive data while earlier sections claim no such storage or processing occurs. In a credit-risk workflow, this creates a serious confidentiality and compliance risk because sensitive customer information may be retained broadly and silently across audit artifacts.

Ssd 3

High
Confidence
98% confidence
Finding
The post-loan management module instructs collection, analysis, and multi-year retention of highly sensitive data such as credit reports, fund-flow details, collateral data, and classification decisions. In a banking setting this is especially dangerous because it concentrates regulated financial data into AI-generated reports and audit logs, increasing exposure, insider misuse risk, and compliance impact if mishandled.

Ssd 3

High
Confidence
98% confidence
Finding
The VLM verification workflow aggregates sensitive material from uploaded documents, images, bank statements, and credit data into structured reports and audit logs. This creates a large attack and privacy surface: multimodal extraction can centralize identity, financial, and business-sensitive information beyond what is necessary, making accidental disclosure or unauthorized retention more harmful.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal