ClawHub

Neonomics

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Neonomics banking integration, but it needs Review because it can access financial data and run payment-capable API requests without clear confirmation boundaries.

Install only if you intend to let an agent work with Neonomics through Membrane. Verify the tenant, connected bank accounts, and requested action before use; prefer read-only or vetted Membrane actions; require explicit approval for payments and any POST, PUT, PATCH, or DELETE request; revoke the Membrane connection when access is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill targets an open banking and payments platform and explicitly describes access to financial data and payment initiation, but it does not prominently warn that operations may expose sensitive financial information or trigger state-changing payment actions. In an agent setting, lack of such guardrails increases the risk that an agent executes sensitive queries or payment-related actions without adequate user confirmation or risk awareness.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The proxy request section permits arbitrary HTTP methods, including POST, PUT, PATCH, and DELETE, against a financial API while emphasizing transparent authentication injection. Without a clear warning or confirmation requirement, an agent could create, modify, or delete financial resources—or initiate payment-related requests—through raw API access that bypasses safer curated actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal