ClawHub

funds-agent

Security checks across malware telemetry and agentic risk

Overview

This fund-report skill is mostly coherent, but it ships with a real-looking Telegram bot token and Joshua-labeled chat ID, so running it can send a user’s fund report to a hardcoded external recipient.

Review before installing or running. Remove and rotate the embedded Telegram bot token, replace the chat ID with your own verified destination, and consider disabling Telegram until you confirm exactly what will be sent. Verify the hardcoded news-market script path before enabling news aggregation, pin dependencies, and only create a scheduled task after configuration is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions while its documented behavior includes network access and scheduled shell execution via cron/schtasks. Missing capability declarations reduce transparency and consent, making it easier for a user or platform to run a skill that can exfiltrate data or execute recurring tasks without clear authorization boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes beyond a simple report generator by sending outbound Telegram messages, invoking other local components/scripts, and writing files to disk, while these side effects are not clearly declared as permissions or operational risks. The finding also notes embedded credentials and hardcoded configuration, which can expose secrets, enable unauthorized message delivery, and make abuse or data leakage more likely if the skill is shared or run in a broader agent environment.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill description mentions Telegram output and scheduling, but it does not present a clear warning that the skill will automatically transmit generated content to an external messaging service on a recurring basis. This weak notice/consent model is risky because users may enable the skill expecting local report generation while it actually performs automated outbound delivery every day.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-docx
Confidence
98% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-docx
Confidence
98% confidence
Finding
python-docx

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
requests

Known Vulnerable Dependency: python-docx — 2 advisory(ies): CVE-2016-5851 (Improper Restriction of XML External Entity Reference in python-docx); CVE-2016-5851 (python-docx before 0.8.6 allows context-dependent attackers to conduct XML Exter)

High
Category
Supply Chain
Confidence
93% confidence
Finding
python-docx

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal