ClawHub

Invoice & Expense Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a local expense-tracking skill whose financial data writes are disclosed and purpose-aligned, though users should treat the generated files as sensitive.

Install only if you want the assistant to create and maintain local financial records in the current workspace. Review parsed entries and CSV exports before relying on them, keep ledger and export files out of public repositories, and avoid entering account numbers, card numbers, SSNs, or tax-critical records without your own controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README presents very broad natural-language invocation examples such as logging expenses, invoicing customers, answering spending questions, and exporting accountant-ready data, but it does not define clear trigger conditions, required confirmation, or excluded phrases. In a finance-oriented skill, ambiguous triggers can cause accidental ledger modifications, unintended exports, or misinterpretation of ordinary conversation as bookkeeping commands, which can compromise integrity of financial records.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The instruction to treat 'anything about spending, paying, receiving, or invoicing' as a ledger entry trigger is broad enough to capture casual discussion, hypothetical examples, or retrospective analysis as commands. In a finance skill that persists data to a local ledger, accidental writes can corrupt records, create duplicate or false transactions, and undermine the integrity of accounting exports and reports.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal