ClawHub

Agentfinobs

Security checks across malware telemetry and agentic risk

Overview

This financial monitoring skill is mostly coherent, but its built-in dashboards can expose sensitive agent spending data on all network interfaces without authentication.

Install only if you are comfortable handling agent spending telemetry locally. Do not expose the dashboard or Prometheus port to untrusted networks; firewall it or run it behind localhost/reverse-proxy authentication. Avoid putting secrets or sensitive prompts in transaction descriptions, tags, or error messages, especially when using JSONL or webhook exporters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises capabilities consistent with network access, file writing, and possibly shell usage, but it does not declare any permissions. That mismatch is a real security issue because users and hosting platforms cannot accurately assess or constrain what the skill may do, especially since it includes an HTTP dashboard and exporters that can send data externally.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The dashboard starts an unauthenticated HTTP server bound to 0.0.0.0 by default, making financial telemetry, alerts, budget state, and recent transaction data reachable from any network interface. In the context of a financial observability skill, this can expose sensitive operational and transactional data to unauthorized users and materially increases reconnaissance and data-leakage risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The handler sets Access-Control-Allow-Origin: * for all dashboard responses, allowing any website to read these responses from a victim's browser if the dashboard is network-accessible. Although there is no authentication here to bypass, permissive CORS broadens the attack surface and makes exfiltration of sensitive financial observability data easier from browser contexts.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This handler is explicitly designed to automatically record every LLM/chat invocation, including model name, token counts, latency, and error details, without any consent gate, notice mechanism, or minimization control in this integration layer. In agent observability contexts, such silent metadata collection can create privacy, compliance, and data-governance risk because usage metadata may reveal sensitive workflows, prompt activity patterns, or operational behavior and is captured by default.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The exporter starts an HTTP metrics endpoint on 0.0.0.0 and logs its network-accessible URL, which can expose sensitive financial observability data such as spend, revenue, burn rate, ROI, budget headroom, and alerts to any host that can reach the port. In an agent financial monitoring context, these metrics are operationally sensitive and could leak business intelligence or internal usage patterns if the service is deployed without network restrictions or authentication.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal