ClawHub

FN Portrait Toolkit

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do the financial-report downloading, extraction, LLM analysis, and chart generation it advertises, with privacy and dependency-hygiene considerations users should understand.

Install this in an isolated Python environment, pin or lock dependency versions before production use, and only set DeepSeek or Moonshot API keys if you are comfortable sending extracted report text and derived financial summaries to that provider. Use local Ollama or --skip-llm for private PDFs, and review the RAWPDF, output2, and portraits output locations before running.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation instructs users to set API-key environment variables, download PDFs from external sites, and write outputs to multiple local directories, but it declares no corresponding permissions. This creates a transparency and governance gap: hosts or users may not realize the skill can access secrets, perform network activity, and modify the filesystem, which increases the chance of unintended data exposure or unsafe execution in permissive environments.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
Saving a portrait unexpectedly triggers LLM-based analysis and may send locally derived company data to an external model provider based on ambient API keys. This is dangerous because a user performing local visualization may unknowingly cause outbound data transfer to third-party services, expanding data exposure beyond the stated tool purpose and violating least surprise.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code silently inspects environment variables to auto-select remote AI providers, coupling execution behavior to ambient secrets present in the runtime. In a shared agent or automation environment, this can cause unanticipated use of external services and indirect exfiltration of processed financial/report data whenever matching credentials are available.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The script's functionality substantially exceeds the declared skill purpose of financial footnote extraction. It performs broad LLM analysis over management discussion, R&D results, competitiveness, portrait finance trends, and batch directory processing, which increases the attack surface and can cause unauthorized processing or exfiltration of data unrelated to the user's expected scope.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code reads cloud-provider API credentials from environment variables even though the stated skill purpose does not justify external model-provider access. In an agent environment, this expands secret access beyond least privilege and can enable unintended use of sensitive credentials for outbound requests.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script recursively scans arbitrary local directories and groups files for batch processing, which goes beyond a narrowly scoped footnote-extraction tool. In an agent setting, this can lead to overcollection of local data and accidental processing of unrelated or sensitive files without clear user intent.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill description and usage guidance do not clearly warn users that it will fetch untrusted external PDFs and write several output artifacts locally. While this is consistent with the tool's intended purpose, the missing disclosure can lead users to run it without understanding the network, storage, and potential document-handling risks associated with processing third-party files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When a cloud provider is selected, the script sends company report text to external LLM APIs without any user-facing warning, consent, or data-classification check. This is dangerous because annual report text and derived internal data may include sensitive or restricted content, and users may reasonably expect local-only processing from the skill description.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The script silently reads API credentials from environment variables without disclosing that sensitive secrets are being accessed. While common in CLI tools, in an agent skill this weakens transparency and can surprise operators who did not intend the skill to consume available credentials.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
In batch mode the script deletes an existing Excel file and overwrites outputs without confirmation or safe-write protections. This can destroy prior analysis results or user data if paths are misconfigured, especially because batch processing operates over many companies and years automatically.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas
openpyxl
requests
matplotlib
Confidence
97% confidence
Finding
pandas

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas
openpyxl
requests
matplotlib
numpy
Confidence
97% confidence
Finding
openpyxl

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas
openpyxl
requests
matplotlib
numpy
pillow
Confidence
97% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas
openpyxl
requests
matplotlib
numpy
pillow
pdfplumber
Confidence
94% confidence
Finding
matplotlib

Unpinned Dependencies

Low
Category
Supply Chain
Content
openpyxl
requests
matplotlib
numpy
pillow
pdfplumber
filelock
Confidence
97% confidence
Finding
numpy

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
matplotlib
numpy
pillow
pdfplumber
filelock
Confidence
98% confidence
Finding
pillow

Unpinned Dependencies

Low
Category
Supply Chain
Content
matplotlib
numpy
pillow
pdfplumber
filelock
Confidence
95% confidence
Finding
pdfplumber

Unpinned Dependencies

Low
Category
Supply Chain
Content
numpy
pillow
pdfplumber
filelock
Confidence
93% confidence
Finding
filelock

Known Vulnerable Dependency: openpyxl — 2 advisory(ies): CVE-2017-5992 (Improper Restriction of XML External Entity Reference in Openpyxl); CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which allows remote attack)

High
Category
Supply Chain
Confidence
89% confidence
Finding
openpyxl

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
92% confidence
Finding
requests

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
83% confidence
Finding
numpy

Known Vulnerable Dependency: pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
93% confidence
Finding
pillow

Known Vulnerable Dependency: filelock — 2 advisory(ies): CVE-2026-22701 (filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLoc); CVE-2025-68146 (filelock has a TOCTOU race condition which allows symlink attacks during lock fi)

Low
Category
Supply Chain
Confidence
80% confidence
Finding
filelock

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal