ClawHub

Financial Product Workflow

Security checks across malware telemetry and agentic risk

Overview

This is a mostly documentation-only financial product workflow, but it encourages automatic writes to business tools using powerful credentials without enough approval and data-sharing guardrails.

Install only if you are comfortable with the agent helping operate connected business tools. Use sandbox projects first, avoid broad tokens, prefer least-privilege credentials, require manual approval before every external create/update/send action, and do not pass regulated, customer, or confidential financial data into integrations unless your organization has approved that data flow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented design principles explicitly allow binding arbitrary tools and custom extensions, which materially broadens the skill from a financial-product workflow into a general integration/orchestration surface. In an agent setting, this scope creep increases the chance the skill can be repurposed for unrelated or unsafe actions that users did not expect from the declared skill purpose.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
Advertising GitHub branch and PR creation extends the skill into source-control modification, which is broader than the stated financial workflow purpose and introduces write-capable operations against external systems. This mismatch can mislead users and reviewers about the effective authority of the skill.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The custom tool binding section encourages users to create arbitrary scripts, wire them into prompts, and submit them for integration, effectively turning the skill into a general-purpose execution and automation framework. That significantly increases attack surface because prompt-level access can be expanded to unrelated external actions without clear sandboxing, review gates, or scope restrictions.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The FAQ's blanket claim that API configuration is 'safe' and 'will not be uploaded to the cloud' is misleading because the documented integrations perform authenticated requests to third-party SaaS platforms, exposing data and metadata to external services by design. Such overbroad safety claims can cause users to underestimate credential and data-handling risk.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The file instructs the skill to read environment-stored API credentials and use them to create or modify Jira and Confluence resources automatically. That expands the skill from document/workflow guidance into external side-effecting operations, creating risk of unauthorized SaaS changes, data leakage through generated content or errors, and misuse if the skill is triggered in the wrong context. In this skill's context, the danger is higher because financial-product workflows often involve sensitive planning data and enterprise systems.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The quickstart encourages automatic creation through Jira, Confluence, Figma, and analytics APIs, but it does not warn users that prompts, product plans, user data, or internal business information may be transmitted to external services. In a financial-product workflow, this omission is more sensitive because documents may contain regulated, confidential, or customer-related information, increasing the risk of unintended data disclosure or compliance violations.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README explicitly promotes integrations with Jira, Confluence, GitHub, messaging tools, and search tooling that can create artifacts or send notifications, but it does not warn users that these actions may affect real external systems, organizational data, or production workflows. In an agent skill context, that omission increases the risk of unintended writes, data disclosure, or noisy side effects when users assume the workflow is purely advisory.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description uses very broad activation cues such as whenever a user needs to build a financial product workflow or mentions related phrases, without tight boundaries on when the skill should engage. Over-broad triggers can cause the agent to invoke this skill in inappropriate contexts, leading to unnecessary access to tool integrations, workflow actions, or finance-related guidance when the user did not intend that scope.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation lists multiple write actions against external systems—sending notifications, creating issues/pages, and opening branches/PRs—without requiring explicit confirmation, preview, or user acknowledgement of side effects. In an agent workflow, this creates risk of unintended state changes, spam, or unauthorized modifications across integrated services.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The file is written entirely in Chinese and does not offer a language choice or document a justified locale restriction, which can prevent reviewers, operators, or downstream agents from correctly understanding instructions and compliance requirements. In a financial-product workflow, this raises the risk of misconfiguration, missed policy violations, and reduced security oversight because critical guidance is inaccessible to part of the audience.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document includes executable examples that send data to an external analytics endpoint and shows a Jira authentication pattern using hardcoded credential placeholders, but it provides no warning about secret handling, data classification, or approval requirements for transmitting operational data. In an agent skill context, users may copy these snippets directly into automation flows, creating a realistic risk of unintended data exfiltration or insecure secret usage.

External Transmission

Medium
Category
Data Exfiltration
Content
import requests

def query_task_completion_rate(start_date, end_date):
    response = requests.post(
        'https://api.sensorsdata.cn/api/v1/event',
        json={
            'event': 'task_complete',
Confidence
90% confidence
Finding
requests.post( 'https://

External Transmission

Medium
Category
Data Exfiltration
Content
import requests

def query_task_completion_rate(start_date, end_date):
    response = requests.post(
        'https://api.sensorsdata.cn/api/v1/event',
        json={
            'event': 'task_complete',
Confidence
90% confidence
Finding
requests.post( 'https://api.sensorsdata.cn/api/v1/event', json=

External Transmission

Medium
Category
Data Exfiltration
Content
def query_task_completion_rate(start_date, end_date):
    response = requests.post(
        'https://api.sensorsdata.cn/api/v1/event',
        json={
            'event': 'task_complete',
            'start_date': start_date,
Confidence
88% confidence
Finding
https://api.sensorsdata.cn/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal