ClawHub

Firefly III API Client

Security checks across malware telemetry and agentic risk

Overview

This skill is a real Firefly III API client, but it gives an agent broad live financial and administrative powers with limited built-in safeguards.

Install only if you intend to let an agent operate a broad Firefly III API client against live financial data. Use the least-privileged token available, prefer read-only prompts for routine work, and require explicit human confirmation before any POST, PUT, PATCH, DELETE, cron, configuration, user-management, webhook, rule-trigger, destroy, or purge request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The spec exposes a cron execution endpoint that can be triggered with a CLI token in the path, and the description states it can run cron tasks for all users. In a generic agent skill with no explicit administrative purpose, this is excessive capability exposure that could enable unauthorized batch processing, duplicated jobs via `force`, or broad side effects if the token is mishandled or guessed.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The API includes `/v1/data/destroy` and `/v1/data/purge`, which can delete large classes of user data or permanently purge deleted data. In a skill with no declared admin or data-destruction purpose, these are highly dangerous capabilities because an agent mistake, prompt injection, or misuse could cause irreversible data loss across a user's financial records.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The spec exposes owner-level user management endpoints for listing, creating, updating, and deleting users. Without a clearly declared administrative skill context, these capabilities are over-privileged and could be abused to enumerate users, change roles, provision accounts, or delete legitimate users if the agent gains owner-scoped credentials.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The configuration endpoints allow reading and updating system configuration values, including behavior-affecting settings. In an undeclared general-purpose skill, this creates unnecessary control over application-wide behavior and can weaken security or alter financial-system behavior in ways the end user did not intend.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The rule-group trigger endpoint performs destructive or state-changing execution against transactions, but the operation metadata does not provide strong user-facing warninging or consent mechanics in the skill itself. In agent contexts, insufficient warning around mutation endpoints increases the chance of accidental bulk modification through ambiguous prompts or indirect instruction.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The individual rule trigger endpoint modifies transactions asynchronously but lacks strong user-facing warnings and safe-by-default execution semantics in the skill surface. That makes accidental transaction mutation more likely when an agent is operating from natural-language instructions rather than deliberate admin workflows.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal