ClawHub
Back to skill

Security audit

Fakturownik

Security checks across malware telemetry and agentic risk

Overview

This is a local Polish VAT invoice generator with expected sensitive invoice data handling, but users should be careful about stored files and the advertised paid email feature.

Safe to install for local invoice generation with caution: do not enter real customer or tax data unless you know where generated invoices and history are stored, review any files it creates, and independently verify any paid PRO/SMTP setup before sharing credentials or sending invoices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises invoice history and stored business/customer data but does not warn users that sensitive personal and business information may be retained locally or in files. This can lead to unintentional exposure of names, addresses, tax IDs, and billing records, especially if users assume the tool is stateless or do not understand where data is stored.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The PRO feature mentions sending invoices directly by email via SMTP, but the skill does not disclose the security and privacy implications of transmitting invoices and handling SMTP credentials. Users may expose invoice contents or misconfigure credentials without understanding the risks, particularly if email transport, credential storage, or recipient validation are not documented.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script writes an invoice containing tax-identifying and business data to a fixed path on disk without explicit user confirmation or a privacy warning. In shared or monitored environments, this can unintentionally disclose sensitive business information and create residual data that persists beyond the current session.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal