ClawHub

差旅费用自动报销助手

Security checks across malware telemetry and agentic risk

Overview

This travel reimbursement skill is mostly purpose-aligned, but it asks for sensitive mailbox access and can submit financial claims or move/delete reimbursement files without clear confirmation checkpoints.

Install only if you are comfortable giving the agent access to reimbursement email, invoice PDFs, local work files, and a reimbursement system. Before use, require manual review before mailbox download, file deletion or movement, and final reimbursement submission; also limit Meituan invoices to clearly travel-related receipts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill’s declared purpose is travel-expense reimbursement, but it explicitly includes Meituan food-delivery invoices, which can cover non-travel personal consumption. That scope expansion increases the chance the agent collects and processes unrelated personal financial data and may submit inappropriate claims to the reimbursement system.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill states that deletion operations require confirmation, but earlier steps instruct automatic deletion of non-PDF attachments during mail handling. This contradiction can lead to unintended destruction of source artifacts, including attachments that may be needed for verification, forensics, or recovery.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill directs the agent to access the user’s mailbox, search messages, and download attachments without an explicit just-in-time warning or consent checkpoint. Because email contents and invoice attachments contain sensitive personal and financial data, silent mailbox access materially raises privacy and over-collection risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill automates submission of reimbursement data to an external reimbursement system through browser automation, but it does not clearly warn the user before performing this external action. That creates a risk of unintended financial submissions, disclosure of sensitive trip and invoice data to third-party systems, and hard-to-reverse business workflow changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to create and write local work-product files such as travel-schedule.md and travel-detail.md, but it does not require any user-facing notice or confirmation before modifying those files. In an agent setting, silent file writes can overwrite prior analysis, create incorrect records, or alter business process artifacts without the user's informed consent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs moving invoice PDF files into a pending subdirectory and deleting related content from travel-schedule.md when the user says a pending itinerary need not be processed, without requiring a strong confirmation or presenting the consequences. These are data-affecting operations on source documents and derived records, so an agent could hide, lose track of, or remove reimbursement evidence needed later for audit or recovery.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal