ClawHub
Back to skill

Security audit

Us Treasury Radar

Security checks across malware telemetry and agentic risk

Overview

This is a small public-data Treasury reporting skill; its main risk is stale or estimated financial data, not hidden system access or unsafe behavior.

Install only if you understand that this is an informational financial-analysis helper, not investment advice. Verify figures against official TreasuryDirect and TIC releases before making decisions, and treat risk signals and fallback values as estimates unless the output clearly shows fresh source dates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code presents country holdings as if they are derived from TIC reports, but the values and period-over-period comparisons are hard-coded estimates rather than fetched or validated report data. This is dangerous because it can mislead users into treating synthetic financial intelligence as authoritative, which may drive incorrect decisions while concealing the lack of provenance and freshness.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script states that TreasuryDirect data is real-time, but when API calls fail it silently substitutes fixed placeholder values and still prints output implying live data. This creates deceptive output and undermines trust, especially in a financial monitoring tool where stale or fabricated fallback data may be acted upon as current information.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.