ClawHub

AML/KYC Documentation Generator

Security checks across malware telemetry and agentic risk

Overview

This is a text-only UK AML/KYC document drafting skill with sensitive compliance use cases, but no code execution, credential use, persistence, or hidden data movement.

Install only for UK AML/KYC drafting support. Do not paste unnecessary personal data or confidential SAR details; mask identifiers where possible. Treat all outputs as drafts for review by an MLRO, qualified compliance professional, or legal adviser, and use accredited services for actual ID, PEP, sanctions, and electronic verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation metadata is broad enough to attract generic 'compliance' or documentation requests beyond tightly scoped UK AML/KYC use cases, which can cause the skill to activate in the wrong context. In a regulated-compliance skill, over-broad routing increases the chance of producing authoritative-seeming AML, SAR, or policy content for users outside the intended jurisdiction or regulatory perimeter, leading to unsafe reliance or misapplication.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The listing explicitly promotes drafting Suspicious Activity Reports, including internal and MLRO-to-NCA submissions, but does not warn that SARs are legally sensitive, fact-specific disclosures where inaccuracies, hallucinations, or inappropriate wording can create regulatory, legal, and tipping-off risks. In AML context, users may over-rely on generated text for filings that should be based on verified evidence and reviewed by qualified compliance personnel.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is designed to generate AML/KYC documents such as CDD, source-of-funds, beneficial ownership, and sanctions/PEP records, which commonly contain highly sensitive personal, financial, and sometimes criminal-suspicion data, yet the listing provides no privacy or data-handling warning. This increases the risk that users paste regulated personal data, special-category-like risk indicators, or confidential investigation details into the system without understanding retention, minimization, consent, or confidentiality obligations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal