ClawHub

Kiwi Receipts

Security checks across malware telemetry and agentic risk

Overview

This tax-assistant skill handles sensitive financial records, but its behavior is disclosed, local, user-directed, and aligned with its stated purpose.

Install only on a trusted device and treat ~/.openclaw/data/kiwi-receipts as sensitive tax records. Review generated XLSX/CSV files before filing, importing to Xero, or sharing, and consider disk encryption, restricted OS account access, careful backups, and manual deletion of records you no longer need.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The plan explicitly instructs the agent to push code to GitHub and publish the skill externally to ClawHub. External publication is a capability-expanding action unrelated to processing receipts or calculating taxes, and if executed automatically it could leak incomplete, unsafe, or sensitive functionality to third parties without appropriate review.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The directive to use a generic execution sub-skill delegates implementation to a broad capability rather than a narrowly scoped tax-processing function. That increases the chance the agent will perform arbitrary file, code, or system actions beyond the declared purpose of the skill, weakening containment and auditability.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The README explicitly states that highly sensitive business and tax data such as GST/IRD number, receipts, income records, assets, and tax history are stored locally, but it does not present a prominent warning about retention, device compromise risk, backup exposure, or the fact that 7-year retention increases sensitivity over time. In a tax assistant skill, this matters because the stored data can enable identity misuse, financial profiling, and disclosure of regulated financial records if the host machine or synced home directory is accessed by others.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes very broad terms such as "tax", "income", "receipt", and "invoice", which can cause the skill to activate in unrelated conversations. Because this skill handles sensitive financial identifiers and writes persistent records, unintended activation could lead to accidental collection, storage, or export of private business data. The tax context makes over-triggering more dangerous than in a low-risk utility skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill collects and stores GST/IRD numbers, receipts, income, assets, and tax history in persistent local files without a clear upfront privacy warning or storage consent flow. This is dangerous because users may disclose regulated financial information and identifiers without understanding that it will be retained on disk and later reused in reports or exports. In a tax-preparation skill, that materially increases privacy, compliance, and unauthorized-access risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The Xero CSV export includes client names, transaction descriptions, dates, and amounts, but the plan provides no privacy notice, consent flow, retention guidance, or warning before transmitting or packaging that data. In a tax assistant context this data is highly sensitive financial information, so silent export increases confidentiality and compliance risk.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal