ClawHub

Jarvis Debt Repayment Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local finance-tracking skill, but users should treat the records it creates as private financial data.

Install only in a private workspace, avoid recording unnecessary account numbers or identifiers, and review any generated finance files before sharing or syncing the workspace. Treat bank import or payment API features as not implemented unless future code is provided and reviewed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger keywords are broad, generic finance terms that are likely to appear in normal conversation, increasing the chance the skill activates when the user did not intend it. Because this skill handles sensitive financial topics such as income, debt, and repayments, unintended activation can expose or manipulate private budgeting context more easily than a narrow-purpose skill.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The trigger list contains very generic finance words such as 收入, 记账, 财务, and 存款, which are likely to appear in ordinary conversation. This can cause the skill to activate unintentionally and begin handling or storing sensitive financial data when the user did not explicitly intend to use this skill.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The activation section says the skill activates whenever the user mentions broad finance-related topics like 本周收入 or 还款进度, but it does not define clear intent checks. In a skill that records income, expenses, and debt, ambiguous activation increases the chance of unintended data processing, file writes, or disclosure of private financial information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that it stores income, expense, debt, and report data in local files, but it does not warn users that these files contain highly sensitive personal financial information. Without disclosure, users may not understand the privacy risk, retention implications, or the need to protect those files from other local users or tools.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The extension features mention importing bank statements and connecting payment platform APIs, which implies possible external data ingestion and sharing, but there is no warning or consent language. In a financial skill, undisclosed integration with bank or payment data can expose account, transaction, and identity details to third parties or connected services.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal