ClawHub

financial-report

Security checks across malware telemetry and agentic risk

Overview

This is a coherent financial statement analysis and charting skill, with some ordinary caution needed because its local HTML tool loads a third-party charting script.

Use this for public company financial statement analysis and local charting. Be cautious with confidential or unpublished financial data because the HTML page loads Chart.js from a third-party CDN, and treat the professional-version links as external sites outside the reviewed skill package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The page loads Chart.js directly from a third-party CDN, which introduces remote code execution into an otherwise local financial-analysis tool. If the CDN, dependency, or network path is compromised, arbitrary JavaScript could run in the user's browser and access all data entered into the tool.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger description is broad enough to activate on general finance-related conversations, not just explicit requests for structured financial statement analysis. This can cause the agent to invoke the skill in inappropriate contexts, leading to unwanted knowledge-base searches, misleading analytical output, or user confusion about the scope and reliability of the response.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The skill metadata and behavior are written to operate in Chinese without indicating language negotiation or fallback behavior. In a multilingual agent environment, this can produce unexpected language switching, misunderstood outputs, or incorrect interpretation of financial data requests when the user is interacting in another language.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal