ClawHub

Revenue Dashboard

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Stripe revenue-reporting skill, but it needs careful handling because it reads a local Stripe secret key and financial data.

Install only if you want local scripts to access Stripe financial data for the configured accounts. Use the most restricted read-only Stripe key available, keep ~/.config/stripe/api_key private with restrictive file permissions, avoid sharing generated reports broadly, and enable the nightly cron only deliberately.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the user to run local shell commands and Python scripts, but the manifest does not declare corresponding permissions or clearly scope that capability. This creates a transparency and trust problem: a user or orchestrator may activate a skill without realizing it can execute local code paths that access credential files and financial data.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The description contains broad activation phrases such as revenue, sales numbers, growth rate, churn, and financial dashboard, which can cause the skill to trigger in many unrelated finance discussions. Over-broad triggering increases the chance of unintended use of shell-backed workflows and access to sensitive Stripe-linked reporting in contexts where the user did not intend to invoke this skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup instructions tell the user to store a Stripe secret key in a local file and proceed with script execution, but they do not warn that this is a highly sensitive credential or advise on secure handling. In a shell-capable skill focused on financial data, missing credential-safety guidance raises the risk of accidental exposure through logs, backups, permissive file permissions, or misuse by other local processes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal