ClawHub
Back to skill

Security audit

Fava Beancount Viewer

Security checks across malware telemetry and agentic risk

Overview

This skill is labeled as a Fava/Beancount viewer, but its own artifacts also steer the agent toward broader quant-trading, broker, setup, and persistence workflows.

Review before installing. Treat this as a higher-risk finance/trading assistant, not just a ledger viewer. Use it only in an isolated environment, avoid broker/wallet/paid-provider credentials unless you intentionally need them, require explicit confirmation before any trading or account-impacting workflow, and expect local package installs plus ZVT/data/output files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The manifest frames the skill as a Fava/Beancount ledger viewer, but the pipeline and use cases extend into data collection, target selection, and trading execution. This scope mismatch can mislead users and host systems into granting the skill access or authority appropriate for a read-oriented accounting tool while it actually drives higher-risk trading workflows.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The prompts and semantic locks focus on market-data strategy development and trading mechanics rather than Beancount/Fava ledger viewing. In a skill ecosystem, this kind of capability drift is dangerous because it hides materially riskier behavior behind a lower-risk identity, increasing the chance of unintended invocation and over-privileged operation.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
Presenting the skill as a passive ledger viewer while documenting active trading execution creates a deceptive trust boundary. Even without explicit malicious intent, users may approve or invoke the skill expecting analysis-only behavior, when the documented pipeline includes actions that can affect real positions or downstream systems.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The human-facing summary describes a materially different skill than the metadata/manifest: a ZVT-based quant trading and backtesting assistant rather than a Fava/Beancount portfolio-management tool. This mismatch can mislead users and downstream agents into invoking the wrong capabilities, expanding trust boundaries and potentially causing unintended code generation, data collection, or trading-related actions under a benign-looking finance skill label.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The listed use cases advertise quant strategy construction, backtesting, factor screening, and market-data recording, which directly contradict the stated Beancount/Fava portfolio analysis purpose. In an agent ecosystem, this kind of capability confusion is dangerous because users or orchestrators may authorize the skill based on one risk profile while the content encourages a much broader and potentially higher-risk financial/trading workflow.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file defines semantic locks and preconditions for a ZVT trading/backtesting workflow that is materially unrelated to the declared Fava/Beancount portfolio-management skill. This kind of capability mismatch is dangerous because it can mislead an agent into invoking unintended trading-oriented commands, installing unrelated packages, or operating on different data/models than the user expected, expanding the attack surface and creating supply-chain and integrity risks.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The seed manifest materially diverges from the advertised Fava/Beancount portfolio-analysis purpose and instead defines ZVT trading/backtesting behavior, install steps, and execution gates. This scope mismatch is dangerous because a host or user may authorize a seemingly read-only accounting skill but actually enable broader market-data, code-generation, and execution behaviors than expected.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The user-facing summary promotes A-share quant strategy building, recorder selection, provider selection, and backtesting, which substantially exceeds the manifest’s described portfolio-viewer function. This is dangerous because it can socially engineer users into approving code execution and environment changes under false expectations about the skill’s real purpose and risk profile.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The architecture introduces broad market-data collection, factor computation, target selection, trading execution, and visualization pipelines that are not justified by a Fava/Beancount portfolio viewer. In this context, unnecessary execution-oriented capabilities expand the attack surface and increase the chance of unintended code execution, excessive data access, and misuse beyond read-only ledger analysis.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The execution scaffold supports backtest, collector, training, serving, and research entry points, which is far broader than the stated portfolio-analysis scope. Such generic execution modes can enable unauthorized code generation and runtime behavior under a misleadingly narrow skill label, making the skill substantially more dangerous than a normal viewer or reporting extension.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The internal architecture and human summary contradict the manifest by presenting the skill as a ZVT A-share quant tool rather than a Fava/Beancount viewer. Contradictory identity is dangerous because trust and review decisions are made on the manifest description, while the effective behavior nudges users toward broader and riskier actions like strategy generation, data fetching, and backtesting.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The execute trigger matches broad intent terms plus generic action verbs such as run or execute, which can cause accidental activation in unrelated conversations. Because the skill's documented scope includes financial analysis and potential trading workflows, ambiguous invocation materially raises the risk of unintended high-impact actions or recommendations.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Generic trigger phrases like portfolio management, CLI, or command line are too broad to safely route a specialized financial skill. In context, this is more dangerous because the skill is not merely informational; its surrounding content suggests it may participate in trading and optimization workflows where accidental invocation has higher consequences.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The execute trigger fires on broad positive-term matching plus common action verbs like run/execute/fetch/collect, which can capture ambiguous user requests. In a skill that already contains scope confusion and execution scaffolding, broad invocation conditions increase the risk of unintended activation and accidental execution of higher-risk workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest specifies automatic writing of a .skill file after execution, but it does not clearly warn the user up front that execution will persist artifacts to disk. Silent persistence is dangerous because it creates unexpected filesystem side effects and can normalize agent-written artifacts without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installation recipes perform pip installs and environment setup, but the manifest lacks a clear user-facing warning that running the skill may modify the local Python environment. This is risky because users may believe they are invoking a passive analysis skill when in reality it can change dependencies, data directories, and runtime state.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.