ClawHub
Back to skill

Security audit

Bookkeeping Agency Skill System

Security checks across malware telemetry and agentic risk

Overview

This accounting-agency skill is not clearly malicious, but it describes broad automation over sensitive financial, customer, employee, and communications data without enough privacy, consent, or human-review safeguards.

Install only after treating this as a sensitive business-operations skill. Use it in a controlled environment with clear client authorization, privacy notices, opt-out handling, role-based access, redaction, retention rules, secure delivery of reports, and human approval before outreach, filings, payroll/tax decisions, incident statements, or archive destruction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list is very broad and includes common accounting and tax terms such as '财税', '报税', '凭证', and '财务报表', which are likely to appear in many ordinary conversations. This creates a real risk of unintended skill activation, causing the agent to load bookkeeping-specific instructions in contexts where the user did not actually request this skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This capability explicitly proposes fully automated collection of social-media and public-opinion data across named platforms, plus NLP sentiment analysis and alerting, without any guardrails on lawful collection, personal-information minimization, platform Terms compliance, or retention/use restrictions. In a bookkeeping/tax agency context, monitored content may include customer complaints, employee allegations, contact details, or tax-related accusations, so the lack of privacy/compliance warnings increases the risk of improper personal-data processing and unauthorized surveillance-like monitoring.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The negative-publicity response SOP references handling incidents involving customer/employee information and privacy-leak scenarios, and it generates response scripts and internal notification workflows, but it does not define safeguards for sensitive-data handling or publication review. That omission can lead to over-disclosure in public responses, wider internal dissemination of confidential details, and secondary privacy harm during incident response.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The landing-page design explicitly specifies collecting personal data fields such as name and mobile number, but it does not mention any privacy notice, consent language, retention limits, or lawful basis for collection. In a lead-generation workflow for bookkeeping and tax services, this creates a realistic risk of non-compliant personal data collection and misuse, especially because users may submit sensitive business-identifying information in a regulated professional-services context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section explicitly defines ingestion and automated cleaning of highly sensitive multi-source data, including financial records, tax filings, HR/payroll, customer information, and external business intelligence, yet it provides no constraints on consent, minimization, retention, masking, or access control. In this context, the omission is dangerous because the skill is designed for bookkeeping agencies handling regulated and confidential client data at scale, so users may operationalize broad collection and processing workflows without privacy safeguards or legal review.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes automatic generation of daily/weekly/monthly reports and anomaly alerts spanning outputs from all analytics units, which could aggregate and redistribute the most sensitive operational, financial, HR, tax-risk, and customer data in one place. Without warnings or controls around redaction, recipient scoping, approval workflows, and secure delivery, this creates a realistic risk of unauthorized disclosure, over-broad internal access, and accidental leakage through notifications or dashboards.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This section describes fully automatic ingestion, deduplication, assignment, and dashboarding of lead data sourced from forms, telemarketing lists, referrals, business cards, and public registration data, including contact details and tax-related business attributes, but it contains no mention of consent, lawful basis, notice, retention, or access controls. In a bookkeeping/tax-agency context, this is privacy-sensitive commercial and personal data, so normalizing and operationalizing it at scale without explicit safeguards creates material risk of non-compliant collection, profiling, and misuse.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This section automates customer satisfaction outreach across WeChat, SMS, and phone channels based on trigger conditions, yet provides no warning about contacting customers, frequency limits, consent/opt-out requirements, or the business impact of unsolicited communications. Because this skill targets real bookkeeping clients, automated contact workflows can cause privacy violations, spam, reputational damage, and regulatory complaints if deployed without human review and communication controls.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section specifies fully automatic collection and structuring of multi-channel feedback including WeChat messages, call transcript conversions, emails, online reviews, complaint tickets, and contextual service-event linkage, but it does not mention monitoring disclosure, recording consent, minimization, or protection of the resulting dataset. In the accounting/tax-service setting, these channels may contain personal data, financial context, disputes, and sensitive business details, so centralized automated surveillance and classification substantially increases privacy, insider-misuse, and compliance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This workflow explicitly describes fully automated processing of highly sensitive financial and personal data, including invoices, bank records, payroll, ID-linked tax data, and social security information, but provides no privacy safeguards, consent requirements, human review gates, or verification warnings. In a bookkeeping and tax-filing skill, this is especially dangerous because the data is both regulated and high-impact: automation errors or misuse could expose personal data, propagate fraudulent filings, or cause unauthorized financial actions at scale.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The archive-management section describes fully automated storage indexing, retention labeling, and destruction approval records for financial, tax, contract, and customer archives without any warning about legal hold, authorization, review, or irreversible deletion risk. In this accounting context, archived records are often legally mandated evidence, so unsafe automation around retention and destruction can lead to compliance violations, loss of audit trails, privacy breaches, or permanent destruction of records that must be preserved.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.