ClawHub

Passive Income Tracker

Security checks across malware telemetry and agentic risk

Overview

This appears to be a finance-tracking skill with purpose-aligned data syncing, but it asks users to connect multiple financial APIs without enough scoping or safety guidance.

Install only if you are comfortable connecting financial and monetization accounts. Use read-only, least-privilege API keys where available, store secrets outside shared folders or chat logs, review what files the skill exports or backs up, and keep generated reports in encrypted or access-controlled locations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes automatic synchronization across numerous financial platforms and references API-based access, but it does not warn users about the risks of connecting financial accounts, handling API keys, or limiting scopes. In a finance-related skill, omission of these cautions can lead users to overconnect accounts, use overly privileged credentials, or expose sensitive financial data if keys are mishandled.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented export and backup capabilities can produce files containing sensitive financial records, tax information, and account-derived analytics, but the README does not warn users that these artifacts may persist unencrypted on disk or in backup locations. In this skill's context, that omission is more dangerous because the data concerns personal finances, making accidental disclosure via shared machines, cloud-synced folders, or insecure backups more likely.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes broad, common financial phrases such as "passive income," "income analysis," and "financial dashboard," which can cause the skill to activate in contexts where the user did not intend to access or process sensitive financial data. In a skill that syncs multi-platform earnings and handles API-backed financial accounts, over-broad invocation increases the chance of unintended exposure, syncing, or prompting for sensitive credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to place API keys for multiple financial and monetization platforms into configuration, but it does not warn about secret handling, least-privilege scopes, storage location, rotation, or the risks of syncing sensitive earnings data. Because the skill aggregates cross-platform financial information and may generate reports containing tax-relevant data, missing guidance materially raises the risk of credential leakage, unauthorized account access, and privacy exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal