ClawHub

StatementEdge

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed StatementEdge integration for uploading bank-statement PDFs for conversion, but users should notice that the API currently returns JSON while other export formats require browser download or client-side transformation.

Install only if you are comfortable sending bank statements, and possibly PDF passwords, to StatementEdge and its disclosed subprocessors. Expect the API to return JSON today; use browser downloads or your own transformation code for CSV, Excel, QuickBooks, Xero, Sage, or OFX until a native export endpoint exists.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest advertises direct conversion to CSV, Excel, QuickBooks, Xero, Sage, and OFX, but the body of the skill says the API currently returns JSON and that other formats require client-side transformation or browser download. This is a capability misrepresentation that can mislead agents into unsafe automation assumptions, cause workflow failures, or result in improper handling of sensitive financial data when downstream tooling expects native exports that do not exist.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation creates an internal contradiction by claiming multi-format conversion at a high level while later stating that only JSON is returned and native multi-format export is still on the roadmap. In a security-sensitive financial processing context, misleading capability claims increase operational risk because users or agents may route bank-statement data into inappropriate or brittle post-processing steps under false assumptions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal