Back to skill

Security audit

Financial Report Render Claw

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local report generator, but its HTML renderer can turn untrusted report content into active browser content without a clear warning.

Install only if you will use trusted report configuration/data files or review them before rendering. Treat generated HTML as active content, avoid raw HTML in report text, generate outputs in a dedicated folder, and inspect reports before opening in a browser or sharing externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
`render_html` creates a Jinja environment with `autoescape=False`, and the template also uses `| safe` for `section.content`. Because the JSON config is treated as input, an attacker can inject arbitrary HTML/JS into generated reports; if the HTML is opened in a browser or reused by downstream systems, this can become stored XSS or active content injection. In this skill's context, report data may come from user- or model-generated content, which makes the trust boundary especially weak.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The template accepts arbitrary HTML in report sections via `{{ section.content | safe }}`, allowing the skill to embed active markup beyond plain report formatting. That exceeds simple beautification/rendering and creates a content injection surface where attacker-controlled data can alter the report, exfiltrate data through remote resources, or execute script depending on the viewing environment.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger keywords include broad everyday phrases such as '生成报告', '做报告', and '整理报告', which can cause unintended activation in unrelated conversations. Accidental activation is a security and safety issue because it may prompt the agent to consume files or produce outputs in contexts where the user did not intend to invoke this file-rendering skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill renders untrusted HTML directly into the report without any warning that report viewers may load active content or remote resources. This is dangerous because users may assume generated reports are inert documents, while injected HTML can change presentation, trigger browser behavior, or embed tracking/external fetches when opened.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.