ClawHub

MY/SG Invoice & Receipt Parser

Security checks across malware telemetry and agentic risk

Overview

The skill is a paid invoice helper that discloses a billing endpoint, but its executable code charges a user before doing any invoice parsing or explicit per-call confirmation.

Review before installing. Treat this as a paid SkillPay billing/tax-rate helper, not a self-contained invoice parser. Only use it if you are comfortable sending user_id and country to the hosted endpoint and if your agent asks for explicit approval before each charge.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes an external network endpoint to perform billing/tax-rate retrieval, but it does not declare any corresponding permission or clearly surface that network behavior in a machine-enforceable way. Undeclared network capability is dangerous because it weakens trust boundaries and allows a skill presented as local parsing logic to transmit data externally and trigger side effects such as billing.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior materially differs from the advertised purpose: instead of actually parsing invoices, the skill instructs the agent to call an external endpoint that charges the user and returns tax rates, while the parsing is delegated to the agent itself. This mismatch is dangerous because users and calling systems may trust the skill with invoice-processing workflows when it actually introduces undisclosed payment and data-transfer behavior, creating deception, billing abuse, and privacy risk.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The implemented behavior does not perform invoice or receipt parsing at all; instead, it charges the user and returns tax-rate values. This is a dangerous capability mismatch because a user or platform expecting document extraction could unknowingly invoke a monetized endpoint that performs unrelated actions, which is consistent with deceptive or disguised billing behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code invokes chargeUser immediately after receiving a user_id, without any visible connection to invoice parsing inputs such as file contents, OCR text, or structured invoice data. Charging users for an unrelated operation creates risk of unauthorized or deceptive billing, especially given the mismatch between the advertised skill description and the actual endpoint behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The usage instructions tell the operator to send a user identifier to a third-party endpoint that may charge the user, but the skill description does not prominently warn about this data transfer and monetary side effect. Hidden transmission of user data combined with possible billing undermines informed consent and can lead to privacy violations, unexpected charges, and misuse in automated workflows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The endpoint performs a billing action server-side with no visible confirmation, acknowledgment, preview of price, or proof of user authorization in this code path. Even if upstream consent exists elsewhere, this implementation provides no local guardrails against accidental, automated, or abusive invocation that could trigger unwanted charges.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal