ClawHub

银行卡三要素核验 - 聚合数据

Security checks across malware telemetry and agentic risk

Overview

This bank-card verification skill does what it advertises, but it sends bank-card, real-name, ID-card, and API-key data over unencrypted HTTP.

Review before installing. Only use this with test data or after the provider call is changed to HTTPS and users explicitly approve sending their bank-card number, real name, and ID number to Juhe. Prefer an environment variable or managed secret for JUHE_BANKCARD3_KEY, avoid passing the key on the command line, and do not process real customer data over the current HTTP endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill instructs sending a bank card number, real name, and national ID number to a third-party API but does not require explicit user notice and consent before transmission. Because these are highly sensitive financial and identity attributes, silent or implied forwarding to an external service creates a significant privacy and compliance risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script sends highly sensitive personal data—bank card number, real name, ID card number, and API key—to a third-party service over plain HTTP. This allows network attackers or intermediaries to intercept or tamper with requests and responses, creating serious privacy, account, and integrity risks in a financial identity-verification context.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal