ClawHub

Spend Ledger

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent as a local spending ledger, but it needs review because it broadly monitors tool activity, uses default remote pattern updates, persists sensitive payment context, and includes a real local code-execution bug in a query script.

Install only if you are comfortable with a skill that observes payment-like tool calls, writes a local spending ledger, and can block duplicate payment attempts. For sensitive environments, disable community pattern sync, review the ledger file permissions and retention needs, avoid submitting custom tool patterns to maintainers unless you are comfortable sharing them, and do not pass untrusted filter strings to query-log.sh until the argument-injection bug is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions while its documented behavior clearly requires network access and inspection of tool inputs/results. This under-disclosure is dangerous because users and orchestrators cannot accurately assess or constrain the skill's data exposure and outbound communication surface.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The advertised purpose is a local tamper-evident spending ledger, but the behavior extends to fetching remote community patterns, submitting user-defined patterns, and maintaining persistent identifiers. That mismatch can conceal telemetry and data-sharing behaviors from users, undermining informed consent and increasing privacy and supply-chain risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Fetching community detection patterns from a remote API introduces unnecessary external network dependency for a skill presented as a local ledger. This creates privacy leakage, remote influence over what gets detected, and a supply-chain channel through which compromised or malformed patterns could alter behavior.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The UI explicitly offers to send user-entered tracked-tool patterns to maintainers, which expands the feature from local ledgering into external data sharing. In a spending/ledger tool, those patterns and descriptions may reveal internal tools, payment workflows, or vendor relationships, creating a privacy and operational-security risk if transmitted without strong consent and disclosure.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This code transmits user-supplied pattern data to a remote service, which is functionality beyond a strictly local tamper-evident payment ledger. Even if intended as an opt-in community feature, it creates an outbound data-sharing channel and associated privacy/trust risk, especially because the skill description does not clearly signal remote telemetry or submission behavior.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The file creates a persistent per-install UUID and derives a stable SHA-256 hash for remote submissions, enabling long-term correlation of activity from the same installation. While the raw UUID is not sent, the stable hash still functions as a pseudonymous identifier and introduces tracking capability not necessary for core ledger operation.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The plugin performs unsolicited background network synchronization on load and every 24 hours, even though its stated purpose is payment ledgering and duplicate-prevention. This expands the trust boundary, introduces external supply-chain and privacy risks, and allows remotely sourced detection logic to influence what gets logged or treated as payment-related without explicit operator action in this file.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Periodic external pattern-sync is not necessary to the core function shown here and creates a hidden remote-update channel. If the sync source is compromised or misconfigured, payment detection behavior could be altered, causing incorrect logging, denial of legitimate payments, or unintended data exposure through network access.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The claim that payments across 'any tool' are detected automatically is overly broad and encourages pervasive monitoring of tool calls. In a payment context, that can lead to unintended inspection of unrelated tools, over-collection of sensitive data, and user misunderstanding about when the skill activates.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The heuristic detection rules are open-ended, including generic names like 'checkout', 'purchase', 'buy' and parsing exec output for monetary signals. Such loose triggers can misclassify benign operations as payments, causing excessive logging of sensitive arguments/results and potentially interfering with normal tool usage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation says tool calls are inspected and payments logged automatically, but it does not prominently warn that tool arguments, results, service details, and related request context may be captured. This is dangerous because payment flows often contain sensitive metadata, and users may unknowingly expose operational or personal information to the ledger.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The log is explicitly described as storing service URL/name, transaction details, triggering skill, user request, and input hash, yet there is no strong warning that this creates a durable record of potentially sensitive operational context. Direct-file access to JSONL further increases the chance that secrets, business data, or personal information could be exposed or mishandled.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script interpolates user-controlled shell arguments directly into a JavaScript snippet passed to `node -e`. An attacker can supply crafted values containing quotes or JavaScript syntax to break out of the intended string context and execute arbitrary code in the Node process, which can lead to local code execution under the privileges of the script runner.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The form allows user-supplied tool patterns, descriptions, and categories to be sent to maintainers, but the UI only frames this as helping future versions and does not clearly warn about network transmission or possible sensitivity of the data. Because this skill tracks payment-related tools, submitted values could disclose proprietary tool names or spending infrastructure details.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Pattern submission sends a stable submitter_hash to a remote API at the point of transmission without any direct, in-context user warning or consent enforcement. That allows the remote service to link multiple submissions over time, creating a privacy risk and unexpected data sharing channel for users who may believe the skill is only a local ledger.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The code appends detected payment transactions to a ledger automatically, but this file contains no user-facing notice, consent, or visibility control around that persistence. In a payment context, silent recording can capture sensitive spending metadata such as tool names, timestamps, session linkage, and payment context, creating privacy and compliance risk if users or operators are unaware.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists rich transaction context to a local JSONL ledger, including fields such as user_request, skill, tool_name, tool_args_summary, receipt_url, confirmation_id, and service metadata, without any minimization, redaction, or consent mechanism. In an autonomous-agent payment ledger, these fields can contain sensitive prompts, operational details, payment identifiers, or personal data, so compromise of the log file or unintended local access can expose confidential user and system information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal