ClawHub

Q2

Security checks across malware telemetry and agentic risk

Overview

This Q2 banking integration is coherent, but it gives broad authenticated action and raw API-request capability without enough safety boundaries for financial data changes.

Install only if you intend to let an agent interact with your Q2 environment through Membrane. Use a test or least-privilege account, review every proposed action or proxy request before it runs, and avoid granting access that can move money, alter accounts, delete records, or change workflows unless that is explicitly intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description is overly broad ('Manage data, records, and automate workflows'), which can cause the agent to invoke this banking-related skill for generic requests that were not clearly intended for Q2. In a financial-platform context, accidental invocation can expose sensitive records or trigger high-impact operations in the wrong system, especially when paired with broad action discovery and proxy capabilities.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explains how to run actions and arbitrary proxy requests but does not warn that these operations may create, update, delete, or otherwise modify remote Q2 data. Because Q2 is a banking platform and the skill exposes both generic action execution and raw request forwarding, omission of mutation-risk guidance increases the chance of destructive or unauthorized changes.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal