ClawHub

Accountant Priv Assistant

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real personal-finance helper, but it gives broad SQL access to sensitive banking databases without enough safety boundaries.

Review before installing. Use only with your own AccountantPriv databases, prefer read-only copies or read-only SQLite connections, remove real account numbers from shared documentation, and avoid letting the agent store detailed financial history unless you explicitly want that.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script exposes a raw `--sql` argument and passes it directly to `cursor.execute(...)` without validating that it is read-only. Although the comments and help text imply SELECT-only behavior, an operator or downstream agent can submit `DELETE`, `UPDATE`, `DROP`, `ATTACH`, or other SQLite statements that modify or exfiltrate sensitive financial data from the user’s local databases. In a personal-finance skill handling bank and card records, this mismatch is especially dangerous because it expands a read-only assistant into a database write/destruction surface.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The function documentation claims it executes a SELECT query, but the implementation executes any SQL string provided. That misleading contract increases the chance that callers, wrappers, or agent tooling treat the function as safe for untrusted input when it can actually perform destructive or state-changing operations against highly sensitive financial databases.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill is designed to access highly sensitive personal financial records across bank and card databases, but it provides no privacy warning, consent boundary, or minimization guidance. In practice this can lead to unnecessary exposure of transaction history, account-linked data, and spending patterns to users who may not understand the sensitivity or scope of access.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal