ClawHub

Financial Audit Domain

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly aligned with financial report analysis, but it expands into automatic dependency installation and execution behavior without a clear approval step.

Review this skill before installing. It appears designed for legitimate A-share financial statement analysis, but it may install and load another skill automatically and can run local scripts that fetch public financial data and write reports. Use it only if you accept that broader execution path, and prefer an updated version that asks before installing universal-task-os and documents the ~/.workbuddy runtime behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document claims the skill contains no execution framework and cannot execute tasks, but later defines activation-time checks, auto-installation, and delegated execution via UTOS. This contradiction can mislead reviewers and users about the real security boundary, increasing the chance that risky behavior is trusted or enabled without proper scrutiny.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill is presented as a knowledge reference repository, but its rules extend into operational behavior such as automatic dependency handling, external data-source selection, and report generation. This scope expansion weakens informed consent and makes downstream execution risk less visible, especially in environments that grant broader powers to seemingly passive skills.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
For a purported knowledge-reference skill, automatic installation of another skill is not necessary to safely provide reference material and creates an unnecessary trust expansion. If abused, this pattern can be used to bootstrap more capable components than the user expected, effectively bypassing the principle of least privilege.

Context-Inappropriate Capability

Medium
Confidence
71% confidence
Finding
The script silently transfers execution into a persistent interpreter located under ~/.workbuddy, which changes process and dependency trust boundaries in a way users may not expect from a financial-analysis skill. If that interpreter or its environment is tampered with, this launcher will run attacker-controlled code before the intended analysis workflow, making the skill context moderately more dangerous because the capability exceeds simple report generation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that it will automatically install a dependency during activation, but does not provide a clear consent gate or warning about the security implications. Silent or implicit installation is dangerous because it can introduce new code, permissions, and execution pathways without a deliberate user decision.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal