ClawHub

DeepRead Pay Stubs

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned for pay-stub extraction, but its privacy claims are inconsistent for highly sensitive payroll documents.

Review the publisher's privacy and data-retention terms before use, and assume full pay stubs may be sent to DeepRead unless the publisher clearly documents otherwise. Do not rely on the 'PII redaction built in' claim until the skill explains exactly what is redacted, when it is redacted, and whether redaction happens before any external upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill advertises 'PII redaction built in' in the manifest/description, but later instructs users to use a separate `deepread-pii` skill before sharing externally. In a pay-stub processing workflow, this contradiction can mislead users into transmitting highly sensitive payroll data under a false assumption that redaction already occurred, increasing risk of privacy violations and data disclosure.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The later usage guidance contradicts the earlier safety claim by telling users to redact pay stubs with a separate skill before sending externally. Because this skill handles names, partial SSNs, bank details, and income data, inconsistent privacy claims can cause operators or downstream agents to skip required safeguards and expose regulated personal information to third parties.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal