ClawHub

Personal Finance Reconciler

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local personal-finance skill; it handles sensitive bank data, but its storage and report behavior are disclosed and fit its purpose.

Install only if you are comfortable keeping bank transaction history in a local SQLite database under the skill data directory. Avoid importing statements on shared machines, review any generated HTML reports before sharing them, and be cautious with custom regex categorization rules because complex patterns can slow local processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The onboarding trigger phrases are broad enough to activate finance-specific guidance when a user asks generic questions like 'help me track my finances' or 'get started,' which can steer the agent into collecting or processing sensitive financial files without sufficiently clear user intent. In a personal-finance context, this increases privacy risk because bank statements and transaction history are highly sensitive data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill directs the agent to save HTML reports to disk without requiring prior user consent or warning that sensitive financial summaries will be written as a file. Because the report may contain categories, merchants, budgets, and spending history, silently creating a persistent artifact can expose private data to other local users, backups, or later unintended disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal