ClawHub

ANVX - Token Economy Intel

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly read-only and finance-focused, but it asks for very sensitive financial credentials and data while several data-flow and storage details are under-disclosed or inconsistent.

Install only if you are comfortable giving this skill read-only access to broad financial and operational accounts, including possible crypto and bank-CSV data. Use restricted read-only provider credentials, avoid wallet seed phrases or write-enabled exchange keys, expect local persistence under ~/.token-economy-intel, and understand that some financial record details may be sent to Anthropic for categorization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (35)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares no explicit permissions while its documented behavior clearly requires environment access, local file read/write, credential storage, and network access. This creates a transparency and governance gap: users and hosting platforms may authorize the skill without understanding that it will access secrets, persist financial data locally, and call remote APIs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The manifest frames the skill as AI API spend tracking, but the documentation expands into broad financial intelligence: cloud, ads, payments, communications, crypto balances, bank CSV ingestion, local persistence, and optional telemetry. This mismatch materially increases the risk of over-collection and user mis-consent because operators may authorize a much broader financial data processor than advertised.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented scope extends beyond AI API spending into a generalized financial intelligence product, including non-AI operational spend categories and portfolio data. Even if the behavior is intended, this is security-relevant because users may disclose or authorize access to more sensitive financial information than the listing implies.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Crypto wallet and exchange portfolio monitoring introduces materially more sensitive data handling than simple AI API cost tracking. Even if read-only, it exposes holdings, account linkage, and potentially deanonymizable financial information, expanding the blast radius of compromise or misuse.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Bank statement CSV ingestion is substantially outside the stated scope and can expose highly sensitive transaction-level financial data, merchant history, and personal identifiers. Because users may not expect this from an AI spend tracker, the mismatch increases the chance of uninformed consent and excessive data access.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The docstring states the connector uses SigV4 authentication, but the implementation only sets a few X-Amz headers and never computes or applies an AWS Signature Version 4 Authorization header. This means requests are not actually authenticated as claimed, causing failed requests at best and creating a dangerous mismatch between documented and actual security behavior that can mislead maintainers into believing AWS credentials are being handled securely and correctly.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The helper claims to build a JWT for GCP service account authentication, but it actually returns a hardcoded stub signature that will always be rejected. This creates a reliability and security-design issue: the connector appears to implement authentication but cannot ever succeed in normal mode, which can mislead operators and downstream systems into trusting a nonfunctional auth path.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file-level and class documentation state that the connector fetches Gemini billing and usage data, but the production implementation never retrieves billing records and instead always returns an empty list. This can mislead downstream systems, operators, or customers into believing spend visibility exists for Gemini when actual spend is silently omitted, causing incomplete financial reporting and bad optimization decisions.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
In the context of a spend-tracking and optimization product, returning empty production records for Gemini creates a silent coverage gap: actual Gemini costs may be treated as zero. That can lead to underreported spend, incorrect budgeting, missed alerts, and faulty optimization recommendations across a provider the product claims to support.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The model records raw user queries and the overall state is persisted to disk, which means potentially sensitive financial questions, provider names, account context, or business details may be stored locally without explicit consent, minimization, or retention controls. In a financial optimization skill, these queries can easily contain confidential operational or strategic information, so persistent storage increases privacy and data exposure risk if the host is shared or compromised.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill claims to track AI API spend, but the connector registry pulls in broad financial domains including ads, payments, cloud, communications, crypto, and revenue. This materially expands data collection beyond the advertised scope, increasing privacy and financial exposure if a user enables live integrations or relies on the skill's description to understand what is being processed.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The query path can fall back to printing model.get_context_for_llm(), which may expose the entire financial model context rather than a narrow answer about AI API spend. In a tool handling sensitive financial records, broad contextual output increases the risk of unnecessary disclosure to the terminal, logs, screenshots, or downstream LLM integrations.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The setup UI explicitly tells users that keys 'never leave your machine', but the flow later calls provider connectors to validate credentials using network requests before storing them. This is a trust-boundary and transparency issue: users may enter highly sensitive credentials under a false assurance about data handling.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The synthetic profile explicitly includes crypto wallet and exchange connectors, which expands the skill's data model beyond its stated purpose of AI API spend tracking. Even if this is test data, adding financial asset surfaces increases the chance that production code paths, permissions, UI flows, or downstream analytics will normalize access to unrelated sensitive financial information.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The file models personal crypto holdings in the persona data and later aggregates holdings totals, despite the product being described as AI API spend optimization. This kind of scope expansion is dangerous because it conditions the system to ingest and summarize sensitive personal asset data that is not necessary for the advertised function, creating privacy, over-collection, and misuse risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The setup flow solicits credentials and data sources far beyond the stated purpose of optimizing AI API spend, including crypto, cloud, communications, monitoring, and payment accounts. This materially expands the data-collection surface and exposes highly sensitive financial and infrastructure information without clear necessity or scoped consent, increasing privacy and breach risk.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
Importing full bank statement CSVs for generalized spending analysis exceeds the claimed purpose of AI API spend optimization and can expose unrelated personal or business financial transactions. In this context, collecting bank statements is especially sensitive because users may not expect broad financial surveillance from a narrowly described billing tool.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Bank statement ingestion is context-inappropriate for a skill positioned as AI API spend optimization because it processes highly sensitive financial data unrelated to many users' expected use of the product. This mismatch increases the chance of over-collection, accidental disclosure, and user deception, even if the code itself is not overtly malicious.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends raw financial record fields including amount, provider, source, description, subcategory, and model to Anthropic for classification, which is a third-party external API. Financial records can contain sensitive business or personal data, and this file contains no consent, minimization, redaction, or user-visible disclosure controls before exfiltrating that data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
User financial queries are appended to history and later included in the serializable model state, causing potentially sensitive business or financial inputs to be retained on disk without any visible notice in this code path. Because the skill's purpose is cost/spend optimization across multiple AI providers, user prompts may include proprietary budgets, vendor usage, or internal strategy, making silent retention materially risky.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The financial model is persisted with model.save() after processing, but the CLI does not warn users that sensitive billing, revenue, and crypto-related state may be written to disk. Silent persistence of financial data can create local confidentiality risks, especially on shared systems or when the state path is predictable or insecurely permissioned.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code records user queries via model.record_query(args.query) without informing users that their prompt text may be retained. Because queries can contain sensitive business or financial details, undisclosed retention creates a privacy risk and may violate user expectations or internal data-handling requirements.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The validation routine invokes connector.connect(creds), which likely transmits entered secrets to third-party APIs, but the setup flow does not clearly warn users that validation involves external service calls. This creates a consent and data-handling risk, especially for high-value cloud, payment, and exchange credentials.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script interactively collects highly sensitive secrets such as API keys, cloud credentials, exchange secrets, and service-account JSON using plain input(), which echoes them to the terminal and provides no warning about storage, transmission, or downstream use. It then passes those credentials directly to connector code, so users may disclose secrets without understanding network access, logging, or retention behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists raw user questions via model.record_query(question) without any visible notice, consent flow, or minimization. Financial queries can contain sensitive business information, vendor names, spending levels, revenue details, or internal strategy, so storing them silently increases privacy and data-handling risk if logs are later accessed, retained too long, or reused unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal