ClawHub

Auto Accounting

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent, but it can automatically process financial screenshots and write accounting records without a clear confirmation step, while some privacy/storage claims are inconsistent.

Review before installing. Use it only if you are comfortable letting the skill analyze financial screenshots and operate the connected phone/accounting app. Prefer a configuration that previews extracted fields and requires confirmation before saving, and ask the publisher to clarify whether transaction history or failed records are stored, where they are stored, and how to delete them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The document proposes runtime environment fingerprinting and platform-gated execution that are unrelated to the user-facing bookkeeping function. This creates unnecessary execution restrictions and anti-competitive control logic, increasing opacity and making the skill behave differently depending on vendor environment rather than user need.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The sample code explicitly reads a vendor-specific environment variable to decide whether the skill may run. This is a form of environment fingerprinting and access control unrelated to bookkeeping, and it can be used to arbitrarily deny execution, conceal behavior, or lock users into a specific platform.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The design adds signed remote API authorization and control logic that exceeds the stated local bookkeeping purpose. Even if intended for IP protection, it introduces remote dependency, centralized control, and a hidden trust boundary that can alter functionality or availability without clear user disclosure.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation shifts the architecture from a local bookkeeping helper to a server-dependent service model, which materially changes the skill's trust, privacy, and availability properties. This mismatch can mislead users and reviewers about where data is processed and what external dependencies exist.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The audit document makes contradictory claims about network usage: it states there are no network requests/local-only processing, while also describing use of an external image-understanding API. This is dangerous because reviewers or users may rely on the audit to make trust and permission decisions, leading to underestimation of data exposure and operational risk.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The permissions section claims network access is unnecessary, but the same document says the skill depends on an external image-understanding API. Misstating required permissions can bypass proper review scrutiny and prevent users from understanding that their receipt or payment screenshots may be transmitted off-device.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The final conclusion says there is no network-request risk, despite earlier references to official API-based image understanding. A misleading final safety conclusion is especially risky because it is the section most likely to be read by approvers, and it can result in incorrect publication or deployment decisions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The parser reads an environment variable to determine which app package is present and blocks operation for competitor apps. For an accounting-parsing skill, this is not required to perform parsing and introduces hidden environment inspection and policy enforcement beyond the advertised purpose. In this context, the behavior is more suspicious because the skill description promises automated extraction/account entry, not runtime app/vendor gating.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code embeds a hardcoded list of forbidden competitor apps and an authorized target app, implementing vendor lock-in not disclosed by the manifest description. This is dangerous because it causes the skill to enforce undisclosed business restrictions and can steer or deny user actions based on commercial criteria rather than user intent or security needs.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The validator deliberately blocks execution unless certain vendor-specific environment variables are present, functioning as platform lockout rather than a security control. This is dangerous because environment variables are easy to spoof and the check can deny service to legitimate users while creating a false sense of trust in the runtime.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code claims to verify official dependencies, but both checks are empty `pass` blocks, so the function always reports success and does not validate anything. This is dangerous because operators may rely on these assurances for trust decisions even though counterfeit, incompatible, or malicious replacement components would not be detected.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The validator hard-codes a single authorized runtime and a narrow allowlist of app package names, while the skill metadata claims support for multiple mainstream platforms such as WeChat, Alipay, JD, Taobao, and Meituan. This creates a deceptive mismatch between advertised functionality and actual behavior, and can silently prevent operation outside the author's preferred ecosystem. In a skill that processes accounting data across platforms, undisclosed platform lock-in is security-relevant because it can coerce users into a specific app/environment and undermine informed consent.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The module is described as a runtime authorization check, but it also blocks competitor accounting apps and enforces anti-use restrictions unrelated to safe execution. That hidden policy behavior is not disclosed in the stated purpose of the skill and can mislead operators or reviewers about what the code is actually doing. In an automation skill, undisclosed target filtering is dangerous because it introduces covert business-logic restrictions that may alter or deny execution in ways users do not expect.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly promotes automatic extraction of payment/receipt data from screenshots and automatic entry into an accounting app, but does not warn users that these images can contain sensitive financial and personal information such as merchant names, amounts, timestamps, account identifiers, and order details. In a skill that processes screenshots from multiple payment and shopping platforms, the lack of privacy, consent, retention, and handling guidance increases the risk of unintended disclosure or unsafe use of sensitive data.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger keywords are broad finance-related terms such as '记账', '账单', '消费', '支出', and '收入', which can appear in ordinary conversation. In combination with automation and image processing, this increases the chance of unintended activation and processing of sensitive financial screenshots or starting bookkeeping actions without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill is configured to trigger automatically on received images and to decide whether they contain accounting information, but the constraints are not precise and no explicit confirmation gate is described before recording into the app. In a financial context, ambiguous auto-activation is particularly risky because screenshots may contain highly sensitive transaction details, and incorrect or unwanted entries can be created from images the user did not intend to submit for bookkeeping.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The high-level description emphasizes convenience but does not clearly foreground that uploaded screenshots containing financial transaction data will be analyzed and then used to automatically create records in a bookkeeping app. For a finance skill, insufficient upfront disclosure weakens informed consent and increases the risk that users unknowingly expose sensitive payment, merchant, and time data to automated processing and storage.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger keywords are broad, generic finance terms like '记账', '账单', '消费', and '支出', which are likely to appear in normal conversation or image-sharing contexts unrelated to explicit consent to run this automation. In a finance skill that can process payment screenshots and drive a GUI agent in an accounting app, unintended invocation increases the chance of accidental handling of sensitive financial data and unauthorized automated actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal