ClawHub

Fakturownia CLI

Security checks across malware telemetry and agentic risk

Overview

This is a coherent documentation-only skill for operating a Fakturownia billing CLI, with expected but sensitive invoice, account, email, attachment, and credential workflows.

Install only if you intend to let an agent operate your Fakturownia account through the CLI. Use least-privilege credentials, prefer environment variables or secret stores over literal command-line secrets, confirm recipients before sending invoices or enabling customer-visible attachments, and review any create/update/delete or user-provisioning command before it runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly instructs users to make invoice attachments visible to customers but provides no warning that attachments may contain sensitive financial, personal, or internal documents. In this billing context, that omission can lead to accidental external disclosure of files that were only intended for internal use, especially if users copy recipe commands without understanding the visibility change.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example enables outbound invoice emailing by default with "send_email": true and prepopulates external recipient addresses, but provides no warning, confirmation requirement, or guidance about disclosure risks. In an agent skill context, examples are often copied directly into execution flows, so this can cause unintended transmission of invoice data to third parties.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill includes authentication examples that pass API tokens, passwords, and integration tokens directly on the command line (for example via `--api-token`, `--password`, and `--integration-token`) without any warning about shell history, process-list exposure, or safer input methods. In a security-sensitive CLI skill, these examples normalize insecure secret-handling practices and can lead to accidental credential disclosure on shared systems, terminals with history sync, CI logs, or monitoring tools.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This skill documents a command that can create or invite users and includes examples for sending passwords and integration tokens, but it provides no warning that the action changes account access or that credentials and tokens are sensitive secrets. In an agent context, that omission increases the chance of accidental privilege changes, insecure handling of secrets in prompts/logs, or unintended user provisioning.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal