ClawHub

AI Expense Tracker

Security checks across malware telemetry and agentic risk

Overview

This expense tracker appears purpose-aligned, but it stores personal spending data locally outside its own skill folder without clear user-facing disclosure.

Install only if you are comfortable with this skill keeping spending records on disk. Before using it with real personal finance details, check where expenses.csv and expense_chart.png are created, avoid sensitive descriptions, and confirm state-changing actions like logging expenses because the skill does not provide strong scoping or deletion controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to invoke local Python scripts that will necessarily read and write data, yet no permissions are declared. This creates a transparency and policy gap: the agent may perform filesystem-backed financial logging and reporting without clear consent boundaries or enforcement metadata.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script deliberately computes a path three directories above the script and writes `expenses.csv` there, which places data outside the skill's own workspace boundary. This breaks isolation expectations, can overwrite or create files in a broader shared area, and increases the chance of unintended data exposure or interference with other skills or host files.

Vague Triggers

Medium
Confidence
74% confidence
Finding
The skill is framed broadly as a general personal finance assistant and tells the agent to infer user intent, which can cause over-invocation on ambiguous finance-related requests. In practice this may lead to unnecessary execution of local scripts or unintended writes when the user only wanted discussion, not an action.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
These instructions direct shell execution of a local script that records financial data, but they do not require warning the user that data will be stored or modified. Because the parameters include user-derived description text, this also raises risk around unsafe command construction if the exec call is assembled as a shell string rather than a structured argument list.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The report flow accesses stored financial data, generates a PNG on local disk, and returns a file path/image to the user without disclosing those side effects. Exposing script-produced paths or files without validation can also leak filesystem details or allow unintended file access if the script output is not constrained to an approved directory.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Budget-setting changes persistent financial settings, but the instructions do not require informing the user that an ongoing configuration is being modified. In a finance context, silent state changes are more sensitive because they can affect later advice, reporting, and user decisions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal