ClawHub

ExpenseLog Conversational Expense Tracking

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local expense-tracking skill that stores expense records on disk and does not show hidden network, credential, or destructive behavior.

Install only if you are comfortable keeping spending details in a local expenses.json file in the skill's working directory. Use explicit phrases such as 'log this expense' for state-changing entries, and avoid sharing sensitive financial details on shared machines or workspaces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The description 'Tell your agent what you spent. It tracks everything.' is broad enough that ordinary conversation about spending could unintentionally invoke the skill. In a conversational agent context, over-broad triggering can cause unintended logging of financial activity, privacy leakage, or incorrect records from ambient or unrelated speech.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill uses broad activation language like 'Tell your agent what you spent. It tracks everything' without defining clear trigger boundaries, confirmation requirements, or scope limits. In a conversational agent, this can cause unintended interception of ordinary messages containing spending-like phrases, leading to accidental logging of sensitive financial data or overreach into unrelated conversations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill persists detailed expense records to a local JSON file without any indication in the code of user notice, consent, or controls around storage of sensitive financial data. In a conversational expense-tracking skill, users may reasonably share private spending details, so silent local persistence increases privacy risk if the host machine, account, or workspace is shared or compromised.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal