ClawHub

jd-finance

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple JD Finance guide, but it claims sensitive account and financial action capabilities without clear authentication, consent, or safety boundaries.

Review before installing. Use it only for general JD Finance information unless you have a secure, official way to verify account data. Do not share passwords, one-time codes, full account identifiers, or private financial details in chat, and confirm balances, loans, repayments, purchases, redemptions, insurance, and credit-card actions through official JD Finance channels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger conditions are broad enough that the skill could activate on vague mentions of finance-related JD terms and steer the conversation into sensitive financial workflows. In a finance skill, unintended activation is more dangerous than in a generic informational skill because it may prompt disclosure of account balances, credit lines, repayment obligations, or investment holdings without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises sensitive financial capabilities such as loan inquiries, credit额度, repayment, holdings, insurance, and total asset queries without any warning about privacy, authentication, or account-impacting consequences. In this context, users may be nudged to reveal highly sensitive financial data or assume the skill can safely perform consequential actions, increasing the risk of privacy breaches, social engineering, or unauthorized financial operations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal