ClawHub

Invoice

Security checks across malware telemetry and agentic risk

Overview

This invoice helper handles sensitive billing details, but its storage, PDF creation, and optional email sending are disclosed and fit the invoicing purpose.

Install only if you are comfortable keeping client billing data, tax IDs, invoice PDFs, and your payment details in ~/billing. Review invoice numbers, amounts, tax treatment, stored client data, and email recipients before finalizing or sending, and protect or delete old billing records when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly instructs collection and storage of sensitive business and banking data, including tax IDs, addresses, and IBANs, but provides no safeguards for minimization, access control, retention, masking, or secure transmission/storage. In a billing workflow this data handling is expected, but the absence of privacy and security guidance increases the risk of accidental exposure, overcollection, or insecure local storage in predictable paths.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes sending invoice emails containing client and billing data without an explicit user-facing confirmation or warning at the point of transmission. In this context, invoices include personal and financial information, so automatic or insufficiently signposted sending increases the risk of accidental disclosure to the wrong recipient or unintended external transmission.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal