ClawHub

fp-skill

Security checks across malware telemetry and agentic risk

Overview

This invoice-checking skill has a plausible purpose, but it automatically handles sensitive files while bypassing browser security warnings and making persistent local changes.

Install only after reviewing and modifying the code to fail closed on browser security warnings, require explicit approval for each file upload, remove the patch script or make it user-confirmed with backups, and disable or clearly control screenshot retention. Treat invoice PDFs and screenshots as sensitive business records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This patch expands a previously local-only image parsing function to fetch arbitrary remote URLs, adding outbound network access to another skill without any validation, allowlist, or clear business justification. In an agent environment, this can enable SSRF, unexpected data exfiltration paths, or access to internal-only resources, making the modified skill materially more dangerous than the original.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger text is broad enough to match common user phrasing such as asking for help checking an invoice, which can cause the skill to activate unexpectedly. Because this skill performs automated web interaction, overbroad triggering increases the chance of unintended browsing, data entry, or exposure of invoice-related information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises screenshot capture during automated web interaction but does not warn users that screenshots may record sensitive information visible on the page. In the context of invoice verification, screenshots could capture invoice codes, numbers, tax data, or other personal/business information and persist it unnecessarily.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill automatically uploads a local PDF from disk to a remote government website without any user confirmation, validation, or disclosure. In an agent/automation context, this can leak sensitive local documents or invoice data to an external service unexpectedly, especially if the file path is changed or influenced by surrounding workflow logic.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code explicitly bypasses browser TLS/security warnings by clicking through 'details' and 'proceed', including a JavaScript fallback. This defeats an important browser trust boundary and can expose uploaded documents, captcha data, and session activity to man-in-the-middle attacks or unsafe endpoints if the certificate warning is legitimate.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The skill saves a browser screenshot to disk without informing the user or minimizing captured content. Screenshots can contain sensitive invoice details, verification results, or other page data, and storing them in a workspace path may create unnecessary retention and secondary disclosure risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal