ClawHub

Singapore SME Compliance

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a Singapore tax/compliance helper, but its instructions under-disclose external API use involving sensitive business and tax data.

Install only if you intend to use it as a compliance reference or local GST calculator. Do not provide Xero, QuickBooks, CorpPass, or other production credentials, and do not allow it to submit filings or send invoice/tax data externally unless you have verified the endpoint, reviewed the payload, and explicitly approved the action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README makes conflicting claims: it documents external endpoints and states the skill may autonomously invoke API calls, yet also claims that no sensitive data leaves the machine and that all calculations are local. This can mislead users into consenting to installation or use under false privacy assumptions, especially in a compliance/tax context where invoice values and business data may be sensitive.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The integration examples encourage transmission of accounting and tax data to third-party or government endpoints using bearer tokens, but provide no warning about data sensitivity, token storage, environment separation, logging, or least-privilege access. In a compliance skill, this context increases risk because invoice, purchase, and tax-return data is financially sensitive and can expose business information if mishandled.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal