ClawHub

Friday Budgeting Pro

Security checks across malware telemetry and agentic risk

Overview

This finance skill appears purpose-built rather than malicious, but it needs Review because it handles bank credentials and transaction data with under-disclosed external sharing, plaintext secret storage, and persistent automation.

Install only if you are comfortable giving this skill access to Plaid banking data, persistent local storage, a background daemon, and possible external LLM processing of transaction context. Do not paste production Plaid secrets into a chat; use a dedicated local secret-entry path only after the publisher fixes credential handling, explicit LLM consent, and scheduled-sync controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (40)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The implementation plan materially narrows the delivered security and feature boundary compared with the published description, which claims support for multiple ledgers including rental properties and investments. In a finance skill, this kind of scope mismatch can mislead users or upstream agents into sending sensitive financial tasks or data to a system that is not designed to handle them safely or correctly, causing data misclassification, incomplete records, or unsafe operational assumptions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Declaring investment tracking out of scope directly contradicts the skill description that advertises investment ledger support. For a budgeting tool that connects to banks and exports financial data, this discrepancy is dangerous because users or orchestrating agents may rely on nonexistent handling for investment data, resulting in omission, incorrect categorization, or inappropriate processing of sensitive financial information.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The README markets the app as 'local-only' and says everything binds to 127.0.0.1, but it also explicitly relies on external services such as Plaid and a chosen LLM. This is a security-significant documentation mismatch because users may disclose banking credentials and financial data under the false assumption that nothing leaves the machine.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The schema stores raw Plaid client credentials and secret per user in the database, creating a highly sensitive secret store inside the application data plane. If the database is exposed through SQL injection, backup leakage, insider access, or misconfiguration, attackers could recover Plaid credentials and pivot into bank-data access or API abuse; for Plaid secrets, hashing is not viable because the application must use the original secret, so they require strong encryption and access isolation instead.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This batch classifier sends detailed transaction metadata plus the full ledger tree to an external LLM, which can expose more personal financial information than is strictly necessary for classification. In a personal finance skill handling household, rental, and investment ledgers, the ledger names and line items can reveal highly sensitive behavioral and financial context even if no direct credentials are sent.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The formatter uses abs(amount), which removes the negative sign from debits, refunds, liabilities, or losses while the module claims to perform display-only formatting. In a personal finance skill, this can misrepresent transaction direction and balances, causing users or downstream workflows to interpret expenses as positive amounts and make incorrect financial decisions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This wrapper is designed to read OpenClaw credential files and silently use them to call external LLM providers, which expands the skill's trust boundary beyond a local budgeting workflow. In a personal-finance skill, prompts and user financial data may be transmitted off-device using ambient credentials the user did not explicitly authorize for this skill, creating a meaningful data-exfiltration and unauthorized third-party processing risk.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill exposes a password-reset capability that is outside the finance-tracking functionality described in the manifest and directly affects authentication state. It generates recovery tokens and returns a reset URL, which expands the agent's authority over account access and could be abused by a compromised or over-permissioned agent session to facilitate account takeover.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This tool allows changing the UI password through the agent interface, a powerful authentication-management action not justified by the budgeting skill description. If an agent session is misused, an attacker could change the local app password and lock out the legitimate user, making this materially more dangerous than ordinary finance read/write operations.

Description-Behavior Mismatch

Low
Confidence
80% confidence
Finding
The skill silently writes a cron specification into ~/.openclaw to trigger future agent actions, which is persistence behavior beyond the manifest's stated budgeting/export features. Even though the scheduled task is related to syncing, hidden persistence increases the attack surface and can cause unattended actions without clear user consent.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The test file hardcodes Plaid sandbox credentials and uses them automatically via environment defaults. Even though these are sandbox credentials in test code, embedding third-party API secrets in source control normalizes secret exposure, allows unintended external use of the linked sandbox account, and can leak into forks, logs, or CI environments.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The test file hardcodes Plaid sandbox credentials directly into source via environment defaults, which is a real secret-management flaw even if the keys are for a sandbox environment. Committed credentials can be reused by anyone with repository access, normalize insecure handling of financial integration secrets, and may enable unauthorized API usage or abuse of the linked test environment.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The test file hardcodes Plaid sandbox credentials and automatically uses them when environment overrides are absent. Even though these are sandbox values, embedding third-party API credentials in source encourages secret leakage, unauthorized reuse, and accidental promotion of insecure credential-handling practices across the codebase.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The test file hardcodes Plaid sandbox credentials directly into source via environment defaults. Even though these are sandbox values, embedding third-party API credentials in code normalizes unsafe secret handling, risks reuse in other contexts, and could allow unauthorized use of the application's Plaid test integration or accidental promotion to real credentials later.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The test file hardcodes Plaid sandbox credentials directly in source code. Even though they appear to be sandbox-only, embedding third-party API credentials in a repository is still a security weakness because such values can be reused unintentionally, normalize insecure secret handling, and may grant access to sandbox resources that can expose test financial data or be abused for unauthorized API activity.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The forgot-password flow instructs the user to retrieve a recovery token from a local file in the agent's home directory via terminal access. For a budgeting skill, this introduces an unnecessary cross-boundary interaction with the local filesystem and shell, which can expose sensitive recovery secrets to other local processes, backups, logs, or misconfigured permissions and normalizes risky behavior outside the app UI.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Directing users to run `cat ~/.friday-bp/recovery.txt` requires shell access and exposes a sensitive reset token through a plaintext file workflow unrelated to the stated finance-tracking purpose. In the context of a financial application, recovery credentials deserve stronger handling because compromise could lead to account takeover and access to banking-linked data.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The design sends merchant names, amounts, categories, hints, and transaction context to an external LLM provider, but the document does not describe explicit user consent or a clear in-product disclosure before data sharing occurs. In a personal-finance skill, even limited transaction metadata is highly sensitive and can reveal habits, employers, medical spending, travel, or subscriptions.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The install flow is presented as a simple one-command setup without a prominent warning that the skill will connect to bank accounts, store financial data locally, and initiate recurring background sync behavior. For a finance tool, failing to clearly disclose persistent access and automated processing can lead users to authorize materially sensitive actions without informed understanding.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document instructs users to run a direct sqlite3 UPDATE against the live application database in the user's home directory. Even though this is framed as a workaround, bypassing application logic and safeguards can cause accidental data corruption, inconsistent state, and unsafe handling of sensitive financial metadata.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README instructs users to paste Plaid Client ID and Production Secret into an AI agent chat. Sending secrets through an agent interface can expose them to model providers, logs, chat history, screenshots, plugin chains, or unintended downstream processing, especially since the document also references use with LLM-backed clients.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill states that pending transactions may be classified via an LLM and documents fallback to Anthropic, but the user-facing description does not clearly disclose that transaction details may leave the local machine and be sent to an external provider. For a personal finance tool, undisclosed external transmission of merchants, amounts, and ledger context is a material privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The swarm protocol authorizes the PM to kill worker agents automatically based on timing/error heuristics, with no explicit confirmation or user-visible warning before terminating active sessions. In an autonomous agent environment, kill operations are destructive because they can interrupt in-flight work, discard context, and trigger follow-on actions like re-queuing or issue comments without human review.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The PM is instructed to automatically approve, squash-merge, and delete the branch whenever review conditions appear satisfied, with no explicit human confirmation step. In a repo with financial tooling and autonomous workers, this creates a risky path for unintended or insufficiently reviewed code to be merged and source branches removed, reducing the chance to catch harmful changes and complicating rollback or forensic review.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The package description advertises sensitive financial capabilities such as bank connectivity, transaction syncing, and export features, but it provides no indication of trigger boundaries, user-consent requirements, or activation constraints. In an agent skill ecosystem, broad unactioned capability claims can cause over-permissioning or unsafe invocation assumptions, which is more concerning here because the skill handles banking and investment data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal