ClawHub

乖猫记账

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed BillCat bookkeeping integration that can save, delete, and query financial records when the user runs its commands.

Install only if you intend to connect OpenClaw to your BillCat account. Treat BILLCAT_API_KEY as a sensitive secret, avoid committing it to repositories or logs, review extracted bill results to prevent duplicates, and double-check bill IDs before deletion because the skill can modify real financial records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation shows access to environment variables, local configuration files, and outbound network calls, but it does not declare corresponding permissions. This creates a transparency and trust problem: users and platforms may not realize the skill reads secrets and sends account-affecting requests to a remote API, increasing the chance of unintended credential exposure or unauthorized operations.

Context-Inappropriate Capability

Low
Confidence
73% confidence
Finding
The skill reads credentials not only from the direct environment but also from OpenClaw config and ~/.openclaw/.env. That behavior is not inherently malicious, but it expands the skill's ability to access local secrets beyond what a user may reasonably infer from the description, creating a transparency and least-surprise issue.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill performs state-changing operations: extracting a bill also saves it, and deletion permanently removes bills by billId. The README presents these actions as normal usage but does not prominently warn users or require confirmation before potentially irreversible account changes, which can lead to accidental data modification or loss.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to obtain and store a BILLCAT_API_KEY in environment files and config files, but it does not warn that this credential authorizes account operations such as saving, deleting, and querying bills. Without clear handling guidance, users may store the key insecurely, commit it to repositories, or share logs/configs that expose full account access.

Missing User Warnings

Low
Confidence
70% confidence
Finding
The code automatically loads an API key from environment variables and local config files without any visible disclosure in this file. In context this appears intended to improve usability, but undisclosed secret access can surprise users and weakens informed consent around credential handling.

Missing User Warnings

Low
Confidence
77% confidence
Finding
This function sends JSON payloads to an external API endpoint, which is expected for a cloud-backed bookkeeping integration. The issue is not the network call itself, but the lack of visible warning or disclosure in-code/user-facing messaging that bill contents and related data are transmitted to BillCat servers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends raw natural-language bill text directly to an external BillCat API, and that text may contain sensitive financial information such as spending habits, merchants, times, notes, or account-related details. In this skill context, external transmission is expected for functionality, but the lack of any disclosure, minimization, or consent mechanism creates a real privacy/security issue because users may not realize their personal finance data leaves the local environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal