ClawHub

Max Banking

Security checks across malware telemetry and agentic risk

Overview

This banking skill has a real purpose, but it can create PIX and boleto payment requests from broad or ambiguous inputs and stores banking credentials locally, so it needs Review before use.

Install only if you fully trust the publisher and the MaxBank MCP endpoint, and only after tightening the workflow: require explicit confirmation before every PIX or boleto request, narrow the triggers, disable automatic handling of uploaded images and raw numbers, avoid exposing status/debug output, and treat the stored agent_key as a sensitive banking credential that must be protected and revocable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The trigger set includes broad account- and finance-adjacent terms such as extrato, saque, transferência, investir, and cartão even though the documented executable actions are limited to saldo, conta, setup, pix, and billet. In a banking skill with real payment capability and always-on activation metadata, this mismatch can cause unintended invocation and route users into sensitive financial workflows from ambiguous requests.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation is internally inconsistent: it says transferência is unsupported, but earlier treats transferir/transferência as a condition for PIX execution. In a real-payment skill, that ambiguity is dangerous because the agent may interpret a generic transfer request as authorization to create a PIX payment without the user's clear, transaction-specific consent.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script exposes an undocumented `debug-token` action and a verbose `status` path that reveal sensitive operational details, including mcporter configuration, session contents, and a partially disclosed agent key. In a banking-related skill, hidden or weakly documented diagnostic commands materially increase the chance of credential leakage, account reconnaissance, and misuse by any caller who can invoke the wrapper.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The script trusts a PID file in /tmp and unconditionally runs kill on whatever PID is inside it. Because /tmp is world-writable, a local attacker could pre-place or modify /tmp/maxbank-proxy.pid so the script kills an unintended process owned by the current user, creating a local denial-of-service condition.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README advertises commands that can execute real PIX transfers and boleto payments, but it does not prominently warn users that these are live financial operations with monetary consequences. In an agent-driven environment, this increases the risk of accidental or socially engineered fund transfers because users may treat the commands as informational rather than transactional.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explains that an Agent API Key is injected into HTTP headers and stored locally, but it does not clearly warn that this credential grants banking access and must be protected like a secret. This can lead to unsafe handling, accidental disclosure in logs/configs, or misuse if the local environment is compromised.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger patterns are excessively broad and include common phrases like minha conta, qual conta, paga pra mim, lê esse, qr code, image extensions, and raw numeric regexes. Combined with financial side effects and always-on behavior, this creates a high risk of the skill activating on ordinary conversation or uploaded files and steering the agent into payment-related execution paths unintentionally.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to assume payment intent from a pasted PIX code, boleto number, or uploaded image and to begin real payment workflows immediately, even when the user gives no command to pay. In a banking context, this bypasses explicit consent for financial actions and can lead directly to unauthorized creation of payment orders.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script retrieves an agent key from a remote MCP endpoint and persists it plus session metadata under ~/.openclaw/secrets/maxbank. Although file and directory permissions are restricted to 0600/0700, storing long-lived credentials on disk without an explicit user warning, consent flow, encryption, rotation guidance, or lifecycle management increases the chance of credential theft from compromised hosts, backups, or accidental reuse.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The `status` action prints the full contents of `session.json` directly to standard output with no confirmation or redaction. Because this session file includes banking environment and MCP endpoint details, and may include other sensitive account metadata, exposing it in a general-purpose status command can leak secrets to logs, users, downstream tools, or prompt/agent transcripts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script stores a long-lived agent key locally and then writes it into mcporter configuration as a Bearer Authorization header, increasing the number of places the credential persists on disk. Although the directories are somewhat permissioned, there is no explicit warning, rotation guidance, or minimization of secret exposure, so compromise of the user account or backups would expose durable banking access.

Ssd 4

High
Confidence
99% confidence
Finding
The skill treats uploads and long numeric strings as implicit payment intent and directs the agent to extract codes from images with exec and then proceed into payment workflows without first asking the user's purpose. In a financial skill with real backend effects, this is highly dangerous because benign sharing of a screenshot or document can be converted into a payment initiation path without meaningful consent.

Ssd 4

High
Confidence
100% confidence
Finding
The skill states that running pix or billet immediately creates real payments and then forbids asking for confirmation afterward, instructing the agent to present the payment as an accomplished fact. This deliberately removes the normal approval checkpoint for irreversible financial actions and materially increases the likelihood of unauthorized or duplicate payment creation.

Ssd 3

High
Confidence
99% confidence
Finding
The `status` action emits full `session.json` contents in plain text, which is a direct sensitive-data exposure. In the context of a banking integration, session metadata and connection details are highly sensitive and can enable account targeting, environment discovery, and follow-on attacks if captured in console history, CI logs, or agent traces.

VirusTotal

No VirusTotal findings

View on VirusTotal