ClawHub

FHA, VA & USDA Mortgage Rate Watch

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed mortgage-rate summary and calculator helper, with no hidden credential access, destructive behavior, or exfiltration paths found.

Install this for educational public-rate summaries, program comparisons, and payment estimates. Treat outputs as informational, verify any current rates with cited sources or a licensed lender, and only enable scheduled alerts/local state if you are comfortable with recurring checks and storing last-known rate data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill advertises daily FHA/VA/USDA rate monitoring and summaries, but the documented behavior centers partly on generic payment calculations and references functionality that may not actually exist in the skill itself. This mismatch can cause an agent to invoke the skill for time-sensitive financial information it is not equipped to retrieve or validate, leading to misleading outputs in a regulated, high-stakes mortgage context.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger description is broad enough to catch general mortgage or first-time homebuyer questions, which can cause the wrong skill to activate outside its safest scope. In a financial domain, unintended invocation increases the chance of users receiving generic, stale, or non-personalized guidance that may be mistaken for current mortgage information or advice.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal