ClawHub

ClawReceipt

Security checks across malware telemetry and agentic risk

Overview

ClawReceipt is a local receipt and budget tracker with privacy and dependency-hygiene caveats, but its behavior is coherent and not deceptive.

Install in a trusted virtual environment, consider pinning dependencies before regular use, and treat the SQLite database and exported CSV/XLSX files as private financial records. Review receipt details before letting an agent save them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (13)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes capturing, storing, monitoring, and exporting receipt and budget data, but does not warn users that this is financial information persisted locally in a SQLite database and exportable to CSV/Excel. In an agent-skill context, this omission increases the chance that users or automated systems handle sensitive spending data without understanding retention, disclosure, or filesystem exposure risks.

Unpinned Dependencies

Low
Category
Supply Chain
Content
textual
rich
pandas
openpyxl
Confidence
97% confidence
Finding
textual

Unpinned Dependencies

Low
Category
Supply Chain
Content
textual
rich
pandas
openpyxl
pydantic
Confidence
97% confidence
Finding
rich

Unpinned Dependencies

Low
Category
Supply Chain
Content
textual
rich
pandas
openpyxl
pydantic
pillow
Confidence
99% confidence
Finding
pandas

Unpinned Dependencies

Low
Category
Supply Chain
Content
textual
rich
pandas
openpyxl
pydantic
pillow
python-dotenv
Confidence
99% confidence
Finding
openpyxl

Unpinned Dependencies

Low
Category
Supply Chain
Content
rich
pandas
openpyxl
pydantic
pillow
python-dotenv
Confidence
98% confidence
Finding
pydantic

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas
openpyxl
pydantic
pillow
python-dotenv
Confidence
99% confidence
Finding
pillow

Unpinned Dependencies

Low
Category
Supply Chain
Content
openpyxl
pydantic
pillow
python-dotenv
Confidence
96% confidence
Finding
python-dotenv

Known Vulnerable Dependency: pandas — 1 advisory(ies): CVE-2020-13091 (** DISPUTED ** pandas through 1.0.3 can unserialize and execute commands from an)

High
Category
Supply Chain
Confidence
82% confidence
Finding
pandas

Known Vulnerable Dependency: openpyxl — 2 advisory(ies): CVE-2017-5992 (Improper Restriction of XML External Entity Reference in Openpyxl); CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which allows remote attack)

High
Category
Supply Chain
Confidence
95% confidence
Finding
openpyxl

Known Vulnerable Dependency: pydantic — 3 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.)

High
Category
Supply Chain
Confidence
94% confidence
Finding
pydantic

Known Vulnerable Dependency: pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
pillow

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
71% confidence
Finding
python-dotenv

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal