ClawHub

Expense Tracker

Security checks across malware telemetry and agentic risk

Overview

The skill is an expense tracker with clearly related behavior, but it directs private spending records and notes into persistent local files and a hard-coded Google Sheet using a service-account credential path.

Install only if you intend your expense ledger, including notes, to be stored locally and synced to the referenced Google Sheet. Before use, confirm the sheet ID and service-account credential belong to you, limit the credential permissions, and remove or disable the sync instructions if you want local-only tracking.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly states that expense data is written to persistent local ledger files and synced to Google Sheets, but provides no user-facing disclosure or consent mechanism for storage and third-party transmission. Because expense entries include free-form notes, the data can contain sensitive personal or financial information, making undisclosed persistence and external syncing a real privacy risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation references a specific Google service account credential path and external Google Sheets API usage without warning that the skill accesses credentials and sends data off-host. This increases the chance of silent external data transfer and normalizes use of privileged credentials without transparency, which is dangerous in an agent context.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill instructs syncing all ledger contents, including free-form notes, to an external Google Sheet. Free-form notes can easily include sensitive personal, location, merchant, or health-related details, so sending them wholesale to a third-party service creates a meaningful privacy and data-governance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal