Security audit

Cai Gun Gun

Security checks across malware telemetry and agentic risk

Overview

This finance tracker does what it claims, but it automatically copies sensitive financial records into a skill data folder that may sync, with mixed privacy messaging and limited user control.

Review before installing if you plan to store real financial data. Confirm whether your OpenClaw environment syncs skill data directories, avoid using it for sensitive accounts unless you are comfortable with both local and skill-directory copies, export backups before importing or clearing data, and verify delete targets carefully.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documents file read/write, environment-variable-based path control, and local/cloud-style data synchronization, but declares no permissions. For a finance tracker handling sensitive transaction data, undeclared capabilities undermine user consent and platform enforcement, and could enable unexpected access to financial records or writes outside the intended storage area if the runtime trusts the manifest.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The skill silently duplicates all financial records from the user's local data store into the skill directory specifically for cloud sync. For a finance tracker, transaction history, account names, balances, merchants, and notes are highly sensitive; automatically expanding storage/distribution scope without explicit consent materially increases confidentiality risk and the blast radius of any compromise or syncing backend exposure.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger list includes broad everyday phrases such as '记账' and '我要记账', which can cause accidental invocation in unrelated conversation. In a finance skill with write/delete/import/export capabilities, mis-triggering increases the chance of unintended data creation, modification, or exposure through subsequent prompts or actions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill handles highly sensitive financial records and describes third-party bill import plus automatic synchronization, but does not provide clear privacy disclosures about what data is synced, where it goes, who can access it, or how users can opt out. In this context, silent sync/export behavior materially raises confidentiality risk because transaction histories, accounts, and balances are personal financial data.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code enables automatic sync into the skill directory, where platform-level cloud sync may occur, but it does so without any user-facing privacy notice or consent flow. In a bookkeeping skill, this is especially dangerous because the data includes detailed financial activity and could be unintentionally exposed beyond the local device.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal