ClawHub

Bkash-Nagad-Tracker

Security checks across malware telemetry and agentic risk

Overview

This expense tracker is mostly purpose-aligned, but it makes conflicting privacy claims while sending sensitive transaction text and weekly spending summaries to Anthropic, including from an automatic weekly digest.

Review before installing. Use this only if you are comfortable sending some transaction messages and weekly spending statistics to Anthropic under your API key. Avoid highly sensitive notes, use a dedicated limited API key, and disable or avoid the weekly heartbeat unless you intentionally want automatic financial digests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill invokes local Python scripts, uses a shell command interface, and requires an API key, but it does not declare corresponding permissions or clearly disclose these capabilities. This creates a transparency and policy gap: users and hosting systems may not realize the skill can execute code, write local data, and access sensitive environment variables while handling financial transaction data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is a local transaction tracker, but the behavior includes sending user transaction content and weekly statistics to Anthropic for parsing and summarization, plus additional data access features not described in the summary. Because the data is personal financial activity, this mismatch is materially dangerous: users may disclose sensitive spending information without informed consent, and hidden export/history capabilities expand privacy risk.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The parser reads an API key and initializes an external Anthropic client, and elsewhere uses it to transmit user transaction text off-device/off-service for parsing. For a finance-tracking skill handling spending and remittance data, undisclosed third-party transmission is a real privacy and data-governance issue because sensitive financial content may leave the expected trust boundary.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
This code path sends raw user transaction messages to Anthropic when regex parsing is insufficient, but the skill description presents itself as a conversational transaction logger without mentioning third-party processing. In the context of Bangladeshi personal finance tracking, users may reasonably include highly sensitive information such as family remittances, merchants, and amounts, making the hidden data flow materially risky.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code initializes an Anthropic client and later sends weekly spending statistics to an external API, which is a real data exfiltration pathway for sensitive financial behavior. Even if used only for summarization, transmitting transaction-derived data to a third party without clear necessity, minimization, or user consent creates privacy and compliance risk.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This function packages user spending totals, categories, methods, and date ranges into a prompt and transmits them to Claude. Financial transaction summaries are sensitive personal data, so exporting them to a third-party model provider broadens data exposure beyond local bookkeeping and increases privacy risk if users are not explicitly informed.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README encourages users to 'just send a message' with free-form examples and says 'Any expense message' logs a transaction, but it does not clearly define activation boundaries or confirmation behavior. In a chat-based skill, this can cause ordinary conversational text that resembles spending activity to be logged unintentionally, leading to inaccurate records and accidental capture of sensitive financial content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installation and requirements sections mention an Anthropic API key, but the README does not clearly warn at the point of use that transaction text may be sent to Anthropic for parsing. Because the skill handles financial transaction data, insufficient upfront disclosure can mislead users about data flows and create privacy and compliance risk even if storage is local.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation rules match broad terms like amounts, common verbs, and generic words such as 'weekly' or 'report', which can cause the skill to trigger during unrelated conversations. In this context, an accidental trigger is risky because it may parse ordinary chat as a financial transaction, persist incorrect records, or send sensitive text to external processing components.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill is configured to automatically send weekly spending digests every Sunday without an explicit consent, subscription, or warning flow. Since the content is personal financial data, unsolicited delivery can expose sensitive information on shared devices, in the wrong chat context, or to users who did not intend to enable recurring summaries.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The fallback path forwards user message content to an external API without any warning, consent, or visible disclosure in this code. Because transaction messages can contain financial behavior and family/payment context, silently sharing them with a third party creates a privacy vulnerability even if the purpose is parsing rather than exfiltration.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The external API call sends weekly spending data without any user-facing warning, consent flow, or visible disclosure in the code path. Hidden transmission of personal finance metadata undermines user expectations and can materially increase privacy harm, especially in a budgeting skill where users may expect local handling.

Ssd 1

Medium
Confidence
87% confidence
Finding
User-controlled text is interpolated directly into an LLM prompt, so a crafted message can contain instruction-like content that attempts to override extraction rules and produce malformed or deceptive JSON. In this skill, that can corrupt transaction records or trigger fallback/error behavior, undermining the integrity of financial logging even if it does not directly expose secrets.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal