ClawHub

Payroll GL Reconciliation

Security checks across malware telemetry and agentic risk

Overview

This instruction-only payroll reconciliation skill handles sensitive payroll data, but its behavior is disclosed, purpose-aligned, and not executable by itself.

Install only if the agent and workspace are approved for payroll data. Keep payroll exports and generated workpapers in encrypted, access-controlled storage, avoid sharing full employee-level registers unless necessary, and have an authorized accounting reviewer approve any journal entries before posting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This skill handles highly sensitive payroll data, including employee names, wages, tax withholdings, benefits, and net pay, but does not warn users about secure handling requirements. In practice, that omission can lead to uploads, storage, sharing, or logging of payroll exports and generated workpapers in insecure locations, exposing confidential financial and personal information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow explicitly instructs users to save reconciliation outputs and include original payroll registers as support, but provides no safeguards for storage, retention, or access control. Because payroll registers typically contain sensitive employee PII and compensation data, this creates a concrete risk of unauthorized disclosure through shared drives, overbroad folder permissions, insecure PDFs, or long-term retention of unprotected documents.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal