ClawHub
Back to skill

Security audit

Beancount Plaintext Ledger

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised as a Beancount accounting helper but contains substantial ZVT quant trading, backtesting, package-install, and provider credential guidance that users would not reasonably expect from the listing.

Install only if you intentionally want a ZVT quant/backtesting assistant and are willing to review each command. Do not treat this as a clean Beancount accounting skill; avoid broker, OAuth, paid-provider, or sensitive credentials until the publisher aligns the name, description, permissions, install steps, and runtime instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (12)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill manifest claims to provide a Beancount plaintext accounting capability, but the body describes quantitative trading, backtesting, execution ordering, and market-data workflows. This mismatch can cause an agent or user to invoke the skill under false pretenses, potentially routing sensitive financial/accounting data into an unrelated trading-oriented workflow and enabling capability confusion.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The declared use cases are limited to test utilities and validation suites, which do not match the advertised end-user accounting functionality. This inconsistency undermines trust boundaries and can lead orchestration systems to load the skill in inappropriate contexts, increasing the risk of misuse, hidden behavior, or operator confusion during financial tasks.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The user guidance requests market, provider, strategy, stock identifiers, and backtest period inputs, which directly contradict the stated ledger/accounting purpose. In an agent environment, such prompts can steer users into disclosing brokerage, portfolio, or trading intentions to a mislabeled skill and may trigger unintended financial-analysis or trading-adjacent actions.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The human summary describes a quant trading/backtesting skill built around ZVT, while the declared skill metadata says this skill is for Beancount plaintext accounting. That mismatch can cause the agent to invoke the wrong capability set, mislead users about what the skill does, and route sensitive financial/accounting tasks into unrelated code paths or tooling.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The listed capabilities include market data providers, factor models, trading selectors, and backtesting workflows that are not justified by a Beancount accounting skill. This overclaims functionality and may cause an agent or user to attempt actions outside the intended trust boundary, increasing the risk of inappropriate tool use, bad financial outputs, or data handling mistakes.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The LOCKS.md file defines semantic locks and preconditions for stock trading/backtesting with the zvt framework, which is materially unrelated to the declared beancount plaintext ledger/accounting skill. This kind of domain mismatch is dangerous because an agent may follow the embedded constraints and setup commands, causing unintended package installation, initialization, or behavior outside the skill’s stated purpose, increasing the risk of prompt injection, dependency confusion, or unsafe tool use.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The seed content is fundamentally inconsistent with the advertised skill identity: a Beancount plaintext accounting skill is presented, but the actual behavior, prompts, preconditions, architecture, and execution flow are for ZVT-based quant trading and backtesting. This is dangerous because it creates a capability-confusion/deceptive-skill scenario where a user may authorize or install an accounting tool but instead get trading-oriented code paths, data collection, execution scaffolding, and unrelated operational behaviors.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The file embeds stock-market trading, backtesting, market-data, and strategy-execution mechanics that are not justified by the declared Beancount ledger purpose. In context, these are not just extra docs; they influence preconditions, execution triggers, architecture, and scaffold generation, expanding the operational scope into a riskier domain than the user would reasonably expect.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The user-facing summary explicitly tells users the skill helps build A-share quant strategies with ZVT, directly contradicting the stated Beancount accounting description. This is dangerous because user-facing documentation governs trust and consent; contradictory messaging can socially engineer users into invoking market/trading workflows under the assumption they are using a benign accounting utility.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The execute trigger is broad and based on loose term matching plus common action verbs, making accidental or inappropriate activation likely. In a misclassified financial skill, overbroad activation increases the chance that normal user requests about running, fetching, or collecting data will invoke the wrong capability and process sensitive information in an unintended workflow.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The summary uses broad language such as 'just tell me what you want; I'll write the code,' which encourages open-ended invocation beyond a narrowly defined accounting skill. In the context of a mislabeled skill, this makes unintended activation more likely and can prompt the agent to generate or perform actions unrelated to the declared Beancount purpose.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The execute trigger combines broad action verbs like run/execute/执行 with intent matching, which increases the chance of accidental or ambiguous activation. In a skill already suffering from identity confusion, this broad trigger surface makes unintended entry into the wrong workflow more likely and therefore materially raises risk.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal