ClawHub

Card Benefits Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a local credit-card benefits tracker with disclosed local storage and web lookup guidance, with privacy and data-quality cautions but no evidence of malicious behavior.

Install only if you are comfortable storing card names, annual fees, membership dates, benefit details, and usage history in local JSON files. Do not store card numbers, bank logins, or secrets. Treat web lookups as optional: approve them only when you want card names or spending categories sent to a search provider, and verify results against issuer sources before saving updates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill expands from local personal tracking into live web-driven collection of card benefits, which introduces unnecessary external data retrieval and broadens the trust boundary. Even with user confirmation, web search can surface inaccurate, malicious, or tracking-heavy content and cause the agent to ingest or act on untrusted third-party data.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
Directing the agent to use ddgs for live searches adds an external network capability not clearly scoped in the metadata and not strictly necessary for core local tracking. This can expose user intent to third parties and increase the risk of prompt-injection or bad data from search results influencing stored records.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Ongoing searches for current cashback rates and bonus categories create recurring external dependency and repeated ingestion of untrusted content beyond simple local tracking. Because recommendations may influence financial decisions, stale or manipulated search results could mislead users and degrade trust or cause monetary loss.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal