ClawHub

Ca File Processor

Security checks across malware telemetry and agentic risk

Overview

The skill fits a financial document-processing purpose, but it appears to use broad file access and may pass sensitive financial records into model context without clear limits or warnings.

Install only if you intend to let this skill process sensitive financial documents. Prefer using it on explicitly selected files, avoid unrelated attachments, and do not provide payroll, tax IDs, bank details, or client records unless you are comfortable with that content being included in model context or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to read arbitrary user-supplied local files via `python3 scripts/skill_router.py <file_path>`, but it does not declare file-read capability/permissions in its manifest. That mismatch is a real security issue because it obscures the skill's access needs from reviewers and policy enforcement, increasing the chance of unintended file access or overbroad invocation against sensitive financial documents.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger set is broad enough to fire on many ordinary requests such as 'read this PDF' or 'what does this document say,' which can cause the skill to activate unexpectedly. In this context, unexpected activation is more sensitive because the skill processes high-value financial and identity data, so accidental routing could expose or over-process documents the user did not intend to send through this workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly packages parsed CSV content into LLM context and preview text, and the surrounding metadata targets highly sensitive financial, payroll, and tax documents. Sending full records and previews without minimization, consent, redaction, or warning can expose bank transactions, salaries, tax IDs, and other regulated data to downstream model processing and logging.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill metadata explicitly states that the parsed workbook output is passed into LLM context, and the processor includes full row data for up to 2000 rows per sheet. In a CA/financial-document workflow, that can expose highly sensitive financial and personal data to downstream model processing without any consent gate, redaction, or user warning, increasing confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function returns full OCR text and extracted fields from highly sensitive financial documents, and the module’s test path prints results to stdout. In this CA-focused skill context, that data can include PAN, GSTIN, bank details, invoices, and salary information, so exposing it broadly to downstream LLM context or logs increases the risk of privacy breaches and unintended data retention.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The trigger phrase "any file received" is overly broad and can cause this skill to activate on arbitrary attachments outside the intended financial-document workflow. That increases the chance of unintended parsing of sensitive or irrelevant files and expands the attack surface by routing more untrusted content into downstream file processors, which are often high-risk components.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal