ClawHub

Income Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local income-tracking skill; it stores financial records on disk, but the behavior matches its stated purpose and there is no evidence of exfiltration or hidden execution.

Install only if you are comfortable storing income history in a local JSON file. Use a dedicated private DATA_PATH, protect the file with filesystem permissions or disk encryption if it contains sensitive notes or client details, and treat currency conversion as approximate because the code uses fixed exchange rates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The shortcut trigger `收入` is extremely broad and likely to match ordinary conversation about income, causing the skill to activate unexpectedly. In a finance-related skill that stores and analyzes sensitive financial data, overbroad activation increases the risk of unintended data entry, disclosure, or confusing interception of unrelated user requests.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill describes local storage, export/import, and optional cloud sync for financial records, but provides only a brief note about encrypting sensitive data rather than a clear privacy and safety warning. Because the data concerns personal income and possibly client/project details, inadequate disclosure can lead users to expose sensitive financial information without understanding retention, sync, backup, or sharing risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill persists sensitive financial data, including income amounts and free-form notes, to a local file without any explicit user notice, consent flow, or privacy controls. In this skill's context, that data is inherently sensitive, and silent persistence increases the risk of unintended disclosure to other local users, backups, sync tools, or compromised processes.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "clawd",
  "license": "MIT",
  "dependencies": {
    "asciichart": "^1.5.25",
    "chalk": "^4.1.2",
    "dayjs": "^1.11.10"
  },
Confidence
88% confidence
Finding
"asciichart": "^1.5.25"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "MIT",
  "dependencies": {
    "asciichart": "^1.5.25",
    "chalk": "^4.1.2",
    "dayjs": "^1.11.10"
  },
  "devDependencies": {},
Confidence
88% confidence
Finding
"chalk": "^4.1.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "asciichart": "^1.5.25",
    "chalk": "^4.1.2",
    "dayjs": "^1.11.10"
  },
  "devDependencies": {},
  "engines": {
Confidence
88% confidence
Finding
"dayjs": "^1.11.10"

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal