ClawHub

Cfoclaw

Security checks across malware telemetry and agentic risk

Overview

This CFO finance skill is mostly coherent, but it gives under-scoped guidance for sensitive financial approvals and includes examples that could weaken expense controls.

Review before installing, especially in real finance environments. Only connect FINANCE_API_BASE to an approved internal HTTPS service, restrict access to authorized finance/compliance users, treat outputs as advisory, and remove or override the examples that recommend splitting claims or changing categories to reduce approval scrutiny.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Tainted flow: 'req' from os.environ.get (line 110, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
req = urllib.request.Request(url)
    req.add_header("Accept", "application/json")
    try:
        with urllib.request.urlopen(req, timeout=10) as resp:
            return json.loads(resp.read())
    except Exception as e:
        print(f"[WARN] API call failed: {e}", file=sys.stderr)
Confidence
92% confidence
Finding
with urllib.request.urlopen(req, timeout=10) as resp:

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The examples materially expand the skill from CFO dashboarding and reporting into operational reimbursement adjudication, invoice de-duplication, approval routing, and compliance decisioning. That scope drift is dangerous because users may rely on undeclared high-impact functions that can expose sensitive finance data or trigger business-control actions without the safeguards, approvals, and documentation such workflows require.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
These examples add healthcare/pharma-specific compliance adjudication such as HCP payment review, sunshine-style disclosure checks, IRB linkage, and clinical trial cost allocation, none of which is justified by the generic CFO skill description. In a regulated industry, presenting such outputs as routine skill behavior can mislead users into treating the model as an authoritative compliance gate, creating legal, privacy, and regulatory exposure.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The example recommends splitting one reimbursement into multiple claims after a budget insufficiency rejection. That can be used to circumvent budget controls, threshold-based approvals, and audit scrutiny, directly undermining the expense-control purpose of the skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The example explicitly suggests using a weaker-control account or splitting claims to simplify approval for a strong-control expense category. In context, this is more dangerous because the skill is supposed to support CFO expense governance, so it is effectively teaching control evasion inside a financial-control workflow.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script includes a database initialization path that unconditionally recreates the finance database and is outside a pure read/query capability. In a skill intended for finance analysis, bundling destructive state-changing behavior increases the chance of accidental or unauthorized data loss if the command is exposed or invoked by an agent workflow.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The expense-management path returns raw expense records including applicant identifiers and invoice numbers, which are unnecessary for many high-level finance-control use cases and expand access to sensitive business data. This creates a confidentiality risk if users of the skill are broader than those authorized to view personally attributable expense details or invoice references.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to connect the skill to a real backend through the FINANCE_API_BASE environment variable, but it provides no warning about handling real financial data, authentication, transport security, logging, or data minimization. In a CFO-focused skill, this omission can lead operators to expose sensitive budgets, reports, approvals, and expense data to an unvetted endpoint or use the feature without appropriate safeguards.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The top-level description and activation guidance use broad business terms that are common in ordinary finance conversations, so the skill may be invoked when the user did not intend to use it. In a skill that can initialize databases or query APIs, unintended invocation increases exposure of sensitive financial context and can trigger unnecessary code-assisted actions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The listed trigger phrases include highly generic terms such as reports, review, approval, and adjustment without strong scope checks, which makes accidental activation likely across unrelated enterprise conversations. Because the skill can route into data-fetching and potentially state-changing flows, ambiguous triggers can lead to inappropriate use of financial tools or disclosure of internal summaries in the wrong context.

Vague Triggers

Low
Confidence
80% confidence
Finding
Multiple sub-skills share overlapping trigger words like 调拨, 闭环率, and 复盘, but the routing rules do not define deterministic tie-breaking beyond a high-level priority list. This ambiguity can send a request to the wrong workflow, causing incorrect financial analysis, unnecessary data access, or the wrong operational guidance.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger guidance is broad and keyword-based (for example, general phrases like '能调吗', '调拨审批', '预算调整'), which can cause the skill to activate for loosely related finance conversations rather than explicit budget-transfer requests. In a CFO workflow, unintended invocation can lead to incorrect process guidance, premature approval-path suggestions, or exposure of sensitive budget context to the wrong task flow.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The examples contain realistic invoice numbers, employee names, hospital affiliation, approval-chain identities, and escalation details, while providing no warning about sensitive financial or personal data exposure. Even if illustrative, this normalizes disclosure of operationally sensitive and potentially personal information in outputs, increasing the risk of privacy leakage and unauthorized internal intelligence exposure.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The example describes automatic budget release and escalation behavior without any caution that these are impactful operational actions. This is dangerous because users may assume the skill can safely direct or initiate state-changing financial controls, leading to unintended budget availability changes, workflow disruptions, or governance errors.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation rule triggers on very generic business terms such as “PDCA”, “复盘”, “闭环率”, and “行动清单”, which are common in normal management and finance conversations. This can cause the agent to invoke this skill in contexts where the user did not intend a formal CFO PDCA workflow, increasing the chance of inappropriate data access, irrelevant guidance, or workflow hijacking by overlapping prompts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The init_db function deletes the existing SQLite file whenever it runs, with no warning, backup, confirmation, or environment guard. If triggered accidentally or by an exposed automation path, it causes immediate irreversible loss of the local finance dataset.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow explicitly instructs fetching financial report data from a database, but it provides no requirement to verify user authorization, apply least-privilege access, or warn that the data may contain sensitive business information. In a CFO-focused skill, this increases the risk of unauthorized disclosure of confidential financial metrics if the agent is invoked by the wrong user or in the wrong context.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions are broad enough to activate on generic terms like '战略', '象限', or '资源配置', which can cause the skill to run outside its intended scope. In an agent environment, over-broad routing can expose unrelated user data to the wrong workflow, produce misleading financial guidance, or cause unintended downstream actions such as budget-transfer recommendations.

Ssd 4

Medium
Confidence
99% confidence
Finding
This example advises splitting reimbursements into multiple claims specifically in the context of simplifying approval scrutiny. That is a classic control-evasion pattern that can facilitate fraud, conceal policy violations, and weaken auditability of expense transactions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal