ClawHub

Expense Reimbursement

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local reimbursement organizer, but it should only be used on a dedicated folder because it processes sensitive travel and receipt files.

Install only if you are comfortable letting the agent process receipts, travel records, project codes, and reimbursement forms locally. Use a dedicated reimbursement folder containing only intended files, avoid running it on untrusted ZIP archives, install dependencies in a virtual environment, review generated PDFs before submission, and delete or relocate the ~/memory summary if it contains private details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation claims the workflow pauses for user confirmation, but the Step 7.4 implementation directly creates folders and writes output files with no code-level confirmation gate. If invoked out of sequence by an agent or wrapper, it can modify the user's filesystem without the promised approval checkpoint.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
Step 8 is documented as contingent on the user replying '签字完成', yet the code copies signed documents and regenerates final packages without checking that condition. This creates a state-integrity flaw where sensitive files can be duplicated and final outputs altered merely by calling the function.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrase '帮我整理报销' is broad enough that normal conversation could unintentionally activate a workflow that performs OCR, recursive file scanning, and file creation. In this context, accidental activation is more dangerous because the skill handles sensitive receipts, travel records, and local documents.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises recursive scanning, ZIP inspection, and OCR over reimbursement materials without an explicit privacy warning or data-handling notice. Because the target documents contain personal, financial, and travel information, users may not realize the extent of collection and processing, increasing the risk of privacy harm and improper handling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow instructs OCR of screenshots and recursive scanning of reimbursement files, including ZIP contents, which can expose highly sensitive personal, financial, and travel information. Although the skill description mentions a checkpoint before continuing, this document does not clearly require an explicit, informed user warning or scoped consent before broad file and archive processing, increasing privacy and data-minimization risk.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill instructs saving a conversation summary to a persistent memory file under ~/memory, which can retain reimbursement details beyond the immediate task. Since reimbursement discussions can include destinations, dates, costs, and project identifiers, this creates unnecessary long-term exposure of sensitive user data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal