ClawHub
Back to skill

Security audit

Monzo

Security checks across malware telemetry and agentic risk

Overview

This Monzo skill is mostly transparent, but it should be reviewed carefully because it gives an agent persistent bank access and can make account changes without built-in confirmation.

Install only if you are comfortable giving an agent ongoing Monzo API access. Use it on a machine you control, keep MONZO_KEYRING_PASSWORD out of shared config where possible, review connected apps in Monzo, and require your own explicit confirmation before any pot movement, receipt deletion, transaction annotation, feed notification, or webhook change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly invokes shell scripts and external binaries, but the manifest does not declare corresponding permissions. This creates a transparency and policy gap: users and the platform may not realize the skill can execute commands that access banking data and perform account-affecting operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The public description understates the real scope of the skill, which includes OAuth credential acquisition/storage, webhook management, and receipt manipulation in addition to balance and transaction viewing. Scope mismatch is dangerous because users may authorize a skill believing it is read-oriented when it actually has persistent authenticated access and account-modifying capabilities.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The README advertises receipt management and webhook registration capabilities that are not reflected in the stated skill description. In a banking skill, undocumented or under-disclosed capabilities materially expand the attack surface because users and reviewers may not realize the skill can exfiltrate transaction data to webhooks or alter transaction metadata.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented scope expands beyond the declared banking functions to include receipt and webhook management, which are additional authenticated capabilities. Hidden or weakly disclosed scope increases the chance of overbroad trust and unintended use of sensitive account-integrated features.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The usage section documents pot deposit and withdrawal commands without an immediate warning that these operations move real money. In a financial automation context, this increases the risk of accidental or socially engineered fund transfers, especially if an agent invokes commands from natural-language prompts.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation guidance uses broad everyday finance phrases, making accidental or overly eager invocation more likely. In a banking context, unintended invocation can expose balances/transactions or trigger follow-on account actions without sufficient user intent verification.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation includes money-moving and account-modifying commands such as pot deposits/withdrawals without any explicit confirmation, step-up verification, or user-warning requirement. In a financial skill, missing confirmation creates a direct risk of unauthorized or mistaken transfers and other irreversible changes.

Credential Access

High
Category
Privilege Escalation
Content
"monzo": {
        enabled: true,
        env: {
          "MONZO_KEYRING_PASSWORD": "choose-a-secure-password-here"
        }
      }
    }
Confidence
90% confidence
Finding
KEYRING

Credential Access

High
Category
Privilege Escalation
Content
1. Ask for your Client ID and Client Secret
2. Give you an authorization URL to open in your browser
3. Ask you to paste the redirect URL back
4. Exchange the code for access tokens
5. Save encrypted credentials

**Alternative: Non-interactive mode** (useful for automation or agents):
Confidence
89% confidence
Finding
access tokens

Credential Access

High
Category
Privilege Escalation
Content
- Credentials are **encrypted at rest** (AES-256-CBC)
- Encryption key is your `MONZO_KEYRING_PASSWORD`
- Access tokens auto-refresh (no manual intervention needed)
- File permissions are set to 600 (owner only)
- All API calls use HTTPS
- No sensitive data is logged
Confidence
84% confidence
Finding
Access tokens

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# 1. Set the MONZO_KEYRING_PASSWORD env var (see "Setting the Password" below)

# 2. Create OAuth client at https://developers.monzo.com/
#    - Set Confidentiality: Confidential
#    - Set Redirect URL: http://localhost
Confidence
87% confidence
Finding
Create OAuth client at https://developers.monzo.com/ # - Set Confidentiality: Confidential # - Set Redirect URL: http://localhost # 3. Run setup scripts/setup.sh # 4. Approve in Monzo app when

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal