ClawHub

票据产品问答

Security checks across malware telemetry and agentic risk

Overview

This is a read-only financial help skill, but its knowledge base repeatedly gives sensitive banking, identity, tax, verification-code, and transaction instructions without enough safety framing.

Review before installing. Use this skill only as informational support for authorized company representatives, and do not paste passwords, SMS codes, ID images, bank account details, tax credentials, or facial-verification material into chat. Complete sensitive steps only through verified official banking or platform channels, and independently confirm transaction, account, and disclosure changes before acting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (23)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document instructs users to provide highly sensitive corporate and personal data, including business licenses, legal representative IDs, agent IDs, bank account details, SMS codes, and payment verification information, without any privacy notice, data minimization guidance, or verification of the destination link. In a retrieval skill, surfacing these instructions without safeguards could facilitate phishing, social engineering, or unsafe disclosure of regulated financial and identity information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs users to provide highly sensitive materials including business licenses, legal representative IDs, agent IDs, authorization letters, bank account details, phone verification codes, and a micro-deposit verification code, but it does not include any privacy, data minimization, storage, or anti-phishing guidance. In a retrieval skill, this is dangerous because users may be encouraged to submit sensitive identity and banking data through an unverified link or workflow without clear safeguards, increasing the risk of credential theft, impersonation, or fraudulent account binding.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This content instructs users to provide highly sensitive corporate identity and banking information, including business licenses, legal representative IDs, agent IDs, bank account details, SMS codes, and payment verification data, but provides no privacy, data minimization, secure transmission, or anti-phishing guidance. In a retrieval skill, surfacing such instructions without trust verification or handling safeguards could facilitate social engineering, unauthorized collection of regulated personal/business data, or redirection to fraudulent payment flows.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs users to collect and upload highly sensitive personal and financial information, including identity documents, beneficiary details, shareholder information, bank account access, and financial statements, but provides no privacy notice, data minimization guidance, retention limits, or secure handling instructions. In a retrieval skill, this can normalize unsafe disclosure practices and could lead users to overshare regulated data without understanding risks or safeguards.

Missing User Warnings

High
Confidence
96% confidence
Finding
The document instructs users to provide highly sensitive business and personal information, including IDs, licenses, contracts, invoices, tax authorization, and facial verification, but provides no privacy notice, data minimization guidance, or secure-handling warning. In a retrieval skill context, this is dangerous because an agent could surface these instructions without caution, normalizing collection of regulated data and increasing the risk of oversharing, phishing-style misuse, or improper transmission through insecure channels.

Missing User Warnings

High
Confidence
97% confidence
Finding
The article instructs users to provide highly sensitive information, including tax account credentials, SMS verification codes, financial statements, and legal representative face verification, without any safety framing or prohibition on agent handling of those secrets. In an agent skill context, this is dangerous because a model may relay these steps directly and normalize collection of credentials or one-time codes, enabling phishing, account takeover, privacy violations, or improper processing of regulated personal and corporate data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs users to submit highly sensitive business and personal data, including ID documents, financial information, and a corporate bank account usable for online banking, but provides no privacy notice, data minimization guidance, or handling safeguards. In a retrieval skill, this can normalize collection of sensitive information without clarifying protection, retention, or verification controls, increasing the risk of social engineering, oversharing, or unsafe downstream handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs users to provide highly sensitive personal, corporate, banking, and tax-related information, including identity documents, shareholder/beneficiary data, bank account access capability, and even electronic tax bureau credentials/passwords, without any privacy, storage, transmission, or credential-handling safeguards. In a retrieval skill context, this is especially dangerous because an agent may surface or normalize requests for secrets and regulated data, increasing the risk of credential harvesting, privacy violations, and unsafe operational guidance.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The content instructs users to provide sensitive tax-account information, phone numbers, SMS verification codes, and complete facial-recognition steps, but gives no privacy notice, data-minimization guidance, or warning about phishing and official-domain verification. In a retrieval skill, this can normalize high-risk identity and tax-data collection and may facilitate social engineering if surfaced to users without safeguards.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The content instructs users to upload highly sensitive identity documents (business license, legal representative ID, agent ID) and perform facial/payment verification, but provides no privacy notice, data-handling explanation, or verification guidance beyond submitting to the bank. In a billing/banking support context, this increases the risk of unsafe collection or mishandling of personal and corporate identity data, and could normalize phishing-like workflows if reused outside the official platform.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document instructs users to enable automatic disclosure of acceptance and credit information but does not explain what data will be shared, with whom, or the privacy/compliance implications. In a banking and billing knowledge skill, omission of these warnings can cause organizations to enable ongoing data sharing without informed consent or internal approval, creating confidentiality and regulatory risk.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The document instructs users to enter and retain sensitive registration data, including legal representative identity details, contact information, email-based login credentials, business verification codes, and an enterprise identifier usable as a login account, without any guidance on secure handling. In a retrieval skill, this can normalize unsafe treatment of authentication-related information and increase the risk of credential leakage, phishing, or unauthorized account access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs users to submit highly sensitive personal and corporate information, including identity documents, beneficiary details, shareholder data, bank account information, and financial reports, but provides no privacy notice, data-minimization guidance, or verification advice. In a retrieval skill, this can normalize unsafe disclosure and increase the risk of phishing, oversharing, or mishandling of regulated data if users are guided to provide such information without clear safeguards.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The document instructs users to upload invoices, bills of lading, contracts, and other trade-finance records to a web platform, but provides no privacy, data-classification, or secure-handling guidance for highly sensitive financial and business information. In a retrieval skill, such content can normalize disclosure of sensitive documents and cause users or downstream agents to mishandle confidential data, increasing the risk of privacy breaches, data leakage, and compliance violations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs users to collect and upload highly sensitive corporate, personal identity, shareholder, beneficiary, and financial information, but it provides no privacy notice, data minimization guidance, retention rules, masking instructions, or secure-handling warning. In a retrieval skill, this can normalize unsafe disclosure and increase the chance that users paste or upload regulated data into the agent flow without understanding how it will be processed or protected.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The document instructs users to upload highly sensitive business documents, including trade contracts, invoices, ticket images, and phone-linked account data, but provides no caution about data minimization, secure handling, privacy, or verification of the destination platform. In a retrieval skill, this can normalize oversharing of confidential financial information and increase the risk of data leakage, phishing-style misuse, or unsafe submission to an unverified interface.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document gives step-by-step instructions for initiating a financing/discount transaction, including bank identifiers, settlement options, and an automatic review/disbursement flow, but does not require independent verification of account details, transaction authorization, or user acknowledgement of financial consequences. In a retrieval skill, surfacing such operational instructions without safety guardrails can facilitate mistaken or unauthorized high-impact financial actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs users to upload highly sensitive corporate and personal data, including ID documents, beneficiary/shareholder information, bank account access details, and financial reports, but provides no privacy notice, secure-handling guidance, or verification steps beyond a bare link. In a retrieval skill that answers billing/product questions and recommends platforms, this can normalize disclosure of regulated data without helping users confirm legitimacy, increasing phishing, privacy, and data-exposure risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document instructs users to submit highly sensitive data, including phone numbers, SMS codes, trade contracts, invoices, debt certificate images, and receiving bank account details, but provides no warning about secure handling, data minimization, or phishing/privacy risks. In a retrieval skill, this can normalize unsafe collection of financial and identity-related information and may lead users or downstream agents to request or expose that data inappropriately.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document gives step-by-step instructions to change a bill channel number and states the change takes effect immediately, but it does not include any warning, confirmation guidance, or advice to verify the new channel identifier before submission. In a billing/banking context, this can lead users to misroute transactions, disrupt billing operations, or make hard-to-reverse account-impacting changes through user error or social engineering.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs users to provide highly sensitive personal, corporate, and banking information, including identity documents, beneficial owner data, and enterprise online banking account details, but gives no guidance on privacy protections, data minimization, authenticity verification, or secure submission handling. In a retrieval skill, this can normalize unsafe collection practices and may enable social-engineering, phishing, or mishandling of regulated financial and identity data if surfaced to users without safeguards.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The document provides broad operational guidance for changing enterprise profile data, account-linked phone numbers, shareholder/beneficiary information, and initiating bank verification flows without clear trigger constraints, authorization checks, or scoping language. In a retrieval skill, this can cause an agent to surface high-impact account-maintenance instructions too readily, increasing the risk of social-engineering enablement or accidental guidance for unauthorized changes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The content instructs users to perform sensitive identity and account-verification actions, including public-account transfer verification, phone-number changes, and legal representative facial recognition via WeChat, but does not warn about privacy, biometric sensitivity, or the account consequences of completing these steps. In a billing/banking-adjacent skill, omission of such warnings can normalize risky actions and make phishing or coerced verification workflows more effective.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal