ClawHub

Personal Finance Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a coherent personal finance helper that processes sensitive financial data locally and only persists summaries with user consent.

Install only if you are comfortable letting the agent analyze pasted transactions or finance CSVs. Use the local memory folder only when continuity is useful, avoid storing credentials or full statements, and periodically review or delete saved finance notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
79% confidence
Finding
The 'When to Use' section contains broad consumer phrases such as 'budgeting,' 'expense tracking,' and 'finance tracker help,' which could cause the skill to activate in loosely related conversations. In a finance context, accidental invocation is more sensitive because user prompts may contain private financial details, increasing the chance of over-collection, unnecessary file access, or inappropriate use of finance-specific workflows.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The setup text instructs the skill to activate for a very broad set of everyday finance-related requests, including budgeting, subscriptions, debt, and CSV analysis, without defining clear exclusion criteria or disambiguation rules. This can cause the skill to trigger in situations where the user did not intend persistent finance handling, increasing the chance of over-collection of sensitive financial context or inappropriate guidance being surfaced in unrelated conversations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal