ClawHub

raiffeisen-elba

Security checks across malware telemetry and agentic risk

Overview

This banking automation skill is mostly transparent about credentials and session-token handling, but it includes under-disclosed tools that can collect and download sensitive bank documents.

Review carefully before installing. Use only in a private, trusted workspace, expect the skill to handle your ELBA PIN, live browser session, bearer token, transactions, portfolio data, and potentially mailbox documents, and avoid running the document helper scripts unless you intentionally want local copies of bank records. Always run logout afterward and delete exported files you no longer need.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script performs document collection from a banking document archive using a direct API, which exceeds the declared skill scope of login/logout, account listing, and transaction retrieval. In a banking context, this scope expansion materially increases access to sensitive financial records and bypasses the user's reasonable expectations about what the skill will do.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code actively extracts bearer tokens from browser storage and intercepted requests, then reuses them with session cookies for direct API calls. This turns an interactive browser automation skill into a credential/session replay tool, increasing the blast radius if the script is modified, logs are exposed, or the environment is compromised.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module docstring openly states that it collects documents via an API endpoint, while the manifest describes only login/logout, account listing, and transaction retrieval. This mismatch is a security-relevant integrity issue because it conceals broader data access capabilities from reviewers and users.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script adds a capability to download banking documents that is not disclosed by the skill metadata, which only mentions login/logout, listing accounts, and fetching transactions. Scope mismatch is dangerous because it can cause users or reviewers to grant trust to a skill that also accesses and persists additional sensitive financial records they did not expect.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code actively retrieves banking documents through authenticated API calls and writes them to local storage, but this behavior is not reflected in the stated skill scope. In a banking context, undisclosed collection and export of documents materially increases privacy and data-handling risk because statements and notices may contain highly sensitive personal and financial information.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill behavior materially exceeds its stated metadata by downloading mailbox documents and fetching portfolio positions, which expands access to more sensitive banking data than a user would expect from the description. In a banking automation skill, this mismatch is security-relevant because users and platforms may grant trust based on the narrower declared scope.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The implementation goes beyond browser automation by extracting bearer tokens from storage and intercepted requests, then using them with direct backend API calls. In the context of online banking, this is more dangerous than ordinary Playwright automation because it enables reusable authenticated access outside the visible browser session and broadens the attack surface for credential/token misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script searches localStorage, sessionStorage, and outbound requests for authentication tokens without any user-facing disclosure or consent flow. In a banking environment, silent harvesting of session credentials is especially dangerous because those tokens may enable direct access to protected account data beyond the visible browser workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes raw API responses containing banking documents and metadata to local JSON and text files without a clear warning or consent step. Even if saved under a workspace path, this creates a durable local copy of sensitive financial data that can be exposed through backups, shared directories, or later compromise of the host.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script extracts a bearer token from browser storage or intercepted requests and reuses it for direct API access, effectively bypassing normal in-browser session boundaries. In a banking skill, this is particularly sensitive because the token can authorize access to protected account documents, and the code provides no user-facing disclosure, minimization, or safeguards around this credential material.

Missing User Warnings

Low
Confidence
86% confidence
Finding
Downloaded banking documents are saved to disk without an explicit warning, confirmation, or retention notice. Because these files can contain sensitive financial data, silent local persistence increases the risk of unintended exposure through shared machines, backups, or later compromise of the workspace.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup flow stores banking credentials in plaintext JSON on disk with no user-facing warning or safer secret-storage mechanism. Even with restrictive file permissions, local compromise, backups, accidental sharing, or multi-user environments could expose credentials for a financial account, making this particularly sensitive in the banking context.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code extracts bearer tokens from local/session storage and network requests, then caches them to disk without explicit disclosure. Persisted banking session tokens can grant authenticated API access without re-entering credentials or 2FA, so token theft may directly expose account, transaction, document, and portfolio data.

Ssd 3

High
Confidence
99% confidence
Finding
The script explicitly prints the pushTAN authentication code to stdout and even notes that an observing agent will see it. In a banking skill, exposing live 2FA challenge material to logs, wrappers, agents, or terminal capture systems is highly sensitive and can enable unauthorized transaction approval or session takeover in real time.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal