ClawHub
Back to skill

Security audit

Invoice Compliance Checker

Security checks across malware telemetry and agentic risk

Overview

This skill is a descriptive invoice-compliance helper with no evidence of hidden access, persistence, credential use, network calls, or financial transactions, though its trigger wording is broader than ideal.

Reasonable to install for informational invoice-compliance checklists, but do not rely on it for legal, tax, or financial decisions without professional review. Be aware it may activate for broader finance prompts, so keep usage focused on invoice compliance and verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

High
Confidence
95% confidence
Finding
The skill's trigger scope is far broader than its stated purpose of invoice compliance checking, inviting use for generic budgeting, tax optimization, pricing, and financial-health advice. This kind of scope creep can cause misrouting and unsafe overreliance on a narrowly framed skill for regulated or higher-risk financial topics, increasing the chance of incomplete, inaccurate, or non-compliant guidance.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The metadata declares the skill as English-only, but the content embeds a Chinese-only user scenario and expected output without any language-selection or locale policy. This mismatch can lead to inconsistent behavior, user misunderstanding, or missed compliance nuances when the agent handles multilingual invoice-verification requests, especially in jurisdiction-specific tax contexts.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger keywords include very broad generic terms such as "invoice", "compliance", and "checker", which can cause the skill to activate in many unrelated contexts. This increases the chance of unintended invocation, user confusion, and accidental routing of sensitive finance-related prompts into this skill when a more appropriate skill should handle them.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.