ClawHub

Finance Report Analyzer

Security checks across malware telemetry and agentic risk

Overview

This finance report skill has a coherent purpose, but it uses sensitive Feishu credentials, can send financial reports externally, and installs packages at runtime without enough safeguards.

Install only if you are comfortable with the skill using Feishu app credentials and transmitting financial files or generated reports through Feishu. Before use, require pinned preinstalled dependencies, confirm every outbound recipient and file, avoid confidential spreadsheets unless the destination workspace is approved, and run PDF conversion in a sandboxed environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
try:
    import openpyxl
except ImportError:
    os.system("pip install openpyxl -q")
    import openpyxl
Confidence
98% confidence
Finding
os.system("pip install openpyxl -q")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
except (FileNotFoundError, subprocess.CalledProcessError):
        pass
    try:
        os.system("pip install markdownify -q")
        from markdownify import markdownify
        with open(html_path) as f:
            md = markdownify(f.read(), heading_style="ATX")
Confidence
98% confidence
Finding
os.system("pip install markdownify -q")

subprocess module call

Medium
Category
Dangerous Code Execution
Content
["wkhtmltopdf", "--quiet", "--enable-local-file-access", "--page-size", "A4", "--orientation", "Landscape", html_path, pdf_path],
    ]:
        try:
            subprocess.run(cmd, check=True, capture_output=True)
            return True
        except (FileNotFoundError, subprocess.CalledProcessError):
            pass
Confidence
89% confidence
Finding
subprocess.run(cmd, check=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pass
    for browser in ["chromium-browser", "chromium", "google-chrome"]:
        try:
            subprocess.run([browser, "--headless", "--disable-gpu", "--no-sandbox", f"--print-to-pdf={pdf_path}", html_path], check=True, capture_output=True)
            return True
        except (FileNotFoundError, subprocess.CalledProcessError):
            continue
Confidence
94% confidence
Finding
subprocess.run([browser, "--headless", "--disable-gpu", "--no-sandbox", f"--print-to-pdf={pdf_path}", html_path], check=True, capture_output=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents shell execution and file-writing behavior but declares no permissions, creating a capability/manifest mismatch that undermines policy enforcement and user/operator expectations. In this context, the undocumented shell access is especially risky because the workflow also includes network calls and local file handling, enabling broader actions than a simple reporting skill implies.

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The skill advertises broader data sources and analysis capabilities than the documented behavior supports, which can mislead routing and cause the agent to invoke the skill in contexts it cannot safely or correctly handle. This is a security concern because overbroad claims can hide unexpected fallback behavior, unnecessary data access, or user data being sent through unsupported workflows such as external API handling.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is presented as a local financial-analysis tool, but the documented workflow also uploads generated reports and sends them into Feishu chats via direct APIs. That expands the data-flow boundary from analysis to outbound transmission, increasing the chance of unintended disclosure of sensitive financial information.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documentation instructs the skill to read Feishu app credentials from local configuration to obtain API tokens, which is unrelated to core report generation and introduces access to sensitive secrets. If abused, this enables unauthorized API calls, file access, message retrieval, and exfiltration using the host's configured tenant credentials.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Runtime package installation is beyond what users reasonably expect from a finance-reporting skill and introduces unnecessary code execution from external repositories. In this context, the behavior is especially risky because the tool may be run on analyst workstations or backend hosts with sensitive data access.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The fallback path installs an additional package at runtime solely to support Markdown export, which is not necessary for safe operation and expands the supply-chain attack surface. Because this occurs automatically and without user approval, it can lead to unexpected code execution on the host.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises optional online benchmarking/search but does not disclose that using this feature may send company names, tickers, financial figures, or document-derived context to external services. In a finance-analysis skill, that omission is security-relevant because users may process sensitive nonpublic financial data and reasonably expect local-only handling unless network transmission is clearly documented and consented to.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions to access Feishu app credentials from configuration are not surfaced to the user, so the skill may silently leverage tenant secrets during normal use. Hidden secret access reduces informed consent and can mask privileged operations far beyond simple file analysis.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow downloads and uploads files through Feishu APIs without warning that user financial documents and generated reports may be transmitted to an external service. Because the skill handles potentially sensitive business data, this lack of disclosure materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Silently installing Python packages at runtime without prior disclosure violates safe-execution expectations and can surprise users by modifying the local environment. While this is partly a trust and deployment issue, it also materially increases the chance of unsafe code being introduced during execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Markdown fallback auto-installs a new dependency without clear user consent, creating hidden side effects and exposing the environment to package-supply-chain risk. In a skill expected to process sensitive financial documents, undisclosed environment changes are especially inappropriate.

External Transmission

Medium
Category
Data Exfiltration
Content
1. **Feishu chat file attachment** — Download via API:
   ```bash
   # Get token
   TOKEN=$(curl -s -X POST 'https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal' \
     -H 'Content-Type: application/json' \
     -d '{"app_id":"APP_ID","app_secret":"APP_SECRET"}' | python3 -c "import json,sys; print(json.load(sys.stdin)['tenant_access_token'])")
   # Get file_key from message
Confidence
89% confidence
Finding
curl -s -X POST 'https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal' \ -H 'Content-Type: application/json' \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
FILE_KEY=$(echo "$UPLOAD" | python3 -c "import json,sys; print(json.load(sys.stdin)['data']['file_key'])")

# 2. Send file message to chat
curl -s -X POST 'https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=chat_id' \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d "{\"receive_id\":\"CHAT_ID\",\"msg_type\":\"file\",\"content\":\"{\\\"file_key\\\":\\\"$FILE_KEY\\\"}\"}"
Confidence
90% confidence
Finding
curl -s -X POST 'https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=chat_id' \ -H "Authorization: Bearer $TOKEN" \ -H 'Content-Type: application/json' \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal