ClawHub

Starling Bank

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Starling Bank integration, but it gives an agent real banking powers without enough built-in confirmation, credential, or data-retention safeguards.

Install only if you are comfortable giving the MCP server access to real Starling banking data and any write/payment scopes on the token. Prefer read-only or minimum required token scopes, verify and pin the MCP package, require explicit confirmation before every payment, payee, card, transaction-edit, or savings action, and avoid persistent memory/config storage of banking identifiers unless you can review and delete it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill enables high-impact financial operations such as creating payees, making payments, withdrawing from savings goals, and locking cards, but it does not instruct the agent to require explicit user confirmation before executing irreversible or sensitive actions. In a banking context, this omission materially increases the risk of unauthorized transfers, accidental fund movement, or destructive account changes from ambiguous prompts or prompt injection.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup requires a Starling personal access token but does not describe it as a secret, warn against exposing it in logs or chat transcripts, or recommend secure storage. If mishandled, the token could grant direct access to banking data and transaction capabilities through the MCP server.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow tells users to store account identifiers and account details in memory/config for future use without addressing the sensitivity of banking identifiers and associated financial metadata. Persisting such data beyond the immediate task increases exposure through logs, local config leakage, model memory retention, or later misuse by unrelated prompts.

Ssd 3

Medium
Confidence
93% confidence
Finding
The instruction to persist account UIDs, category UIDs, and account details for future use encourages retention of sensitive banking data beyond the immediate need. In an agent setting, retained financial identifiers can be surfaced to later prompts, leaked via memory/config inspection, or combined with other data to expand the blast radius of compromise.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal