ClawHub

Операционный директор: работа с банком (скрипт данных)

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent and its script is local, but recurring chat summaries of financial account data need clearer user controls.

Review this skill before installing if you plan to use recurring summaries. It appears non-malicious and uses synthetic local data, but scheduled account reports can expose sensitive financial information in chat logs or shared workspaces. Only enable daily summaries after confirming the destination, included fields, redaction needs, and how to turn the schedule off.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest presents the skill as a local-script data retriever, but the instructions expand behavior to live web lookups for procedures and legal guidance. This creates a scope mismatch that can cause the agent to perform undeclared network access, weakening user expectations, platform controls, and security review assumptions.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The skill first mandates answering strictly from local JSON, then later instructs independent web retrieval. Conflicting data-source rules can lead the agent to mix trusted local account data with unverified external content, producing inconsistent behavior and making it harder to reason about what information is being used and exposed.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill adds automation behavior that schedules recurring daily account summaries, even though the manifest focuses on on-demand bank-account assistance. Recurring delivery of financial summaries increases the chance of unintended disclosure in chat channels, especially if chat membership, retention, or visibility changes over time.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The instructions require access to external banking and legal websites, but that capability is not disclosed by the manifest's local-script description. Hidden network behavior expands the trust boundary and may expose contextual information through browsing requests or cause the agent to rely on external content not covered by the original security model.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs sending daily account summaries to chat without requiring an explicit warning that balances, transactions, restrictions, and credentials-related statuses are sensitive financial data. In a banking operations context, automatic posting can leak confidential information to unintended viewers or retained conversation logs, making the context more dangerous than in a low-sensitivity skill.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill directs the agent to use web tools for official procedures but does not clearly disclose that network access will occur or what information might be sent in requests. This is a transparency and privacy concern; while the listed sites are informational, undisclosed browsing in a banking-support skill can still surprise users and expand data-exposure risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal