ClawHub

Heath Ledger

Security checks across malware telemetry and agentic risk

Overview

This bookkeeping skill appears purpose-built, but it stores bank and Stripe API credentials in plaintext and exposes sensitive transaction data to logs or AI processing.

Use this only in an environment where local files and terminal logs are protected. Prefer limited-scope/read-only Mercury and Stripe keys, rotate or revoke them after use, and avoid running AI categorization unless you are comfortable sending transaction counterparties, descriptions, and amounts through the host model workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill clearly describes network-capable behavior such as connecting to Mercury and Stripe APIs, yet no declared permissions are present. This creates a transparency and policy-enforcement gap: users and the host platform may not realize the skill can reach external financial services and transmit sensitive data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The declared description frames the skill as Mercury bookkeeping, but the body expands behavior to Stripe integration, revenue ingestion, database storage, and accounting adjustments. That mismatch can mislead users and reviewers about the true data access scope, causing unintended authorization of broader financial-data processing than expected.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The script stores the Mercury API token directly in a local SQLite database and explicitly normalizes this by stating encryption is unnecessary. Mercury tokens grant access to sensitive financial account and organizational data, so compromise of the local database, backups, logs, or developer workstation could expose live banking access. In a bookkeeping skill tied to bank accounts, this is especially dangerous because the credential directly unlocks high-value financial information and potentially operational banking actions depending on token scope.

Description-Behavior Mismatch

Low
Confidence
96% confidence
Finding
The schema stores provider `access_token` values directly in the `connections` table, implying long-lived bank integration secrets are persisted in plaintext at rest. In a bookkeeping skill handling Mercury financial data, compromise of the local database could expose active banking tokens and enable unauthorized access to sensitive account and transaction data.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases are broad enough to match generic finance or bookkeeping requests, increasing the chance this skill activates outside the user's intended Mercury-specific context. Overbroad invocation can expose sensitive financial workflows or cause the agent to request bank/API credentials when a narrower tool would have been more appropriate.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to connect Mercury and Stripe API keys and process transaction data, but it does not prominently warn about privacy, retention, third-party transfer, or handling of highly sensitive financial records. In a bookkeeping context, this is more dangerous because the data includes bank transactions, revenue, fees, and potentially payroll-related information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The AI categorization section states that transaction batches are sent to the host agent's model, but it lacks a strong, explicit warning that sensitive transaction descriptions and financial metadata may leave the local bookkeeping flow for model processing. Because this skill handles bank and revenue records, undisclosed model transmission materially increases privacy, confidentiality, and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script emits raw transaction data, including counterparty names, descriptions, and amounts, to stdout specifically for downstream AI processing, with no consent gate, masking, or destination control. In a bookkeeping skill tied to Mercury bank accounts, this can expose highly sensitive financial data to logs, pipelines, shell history, or third-party models, creating a real confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code silently persists a sensitive API token locally without warning, consent, or confirmation to the user. Even if intended for convenience, users may not realize their banking credential is being retained on disk, increasing the chance of accidental exposure through local compromise, backups, or shared environments. In the context of a Mercury bookkeeping connector, undisclosed storage of banking credentials raises the severity because users are handling highly sensitive financial access tokens.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script stores the raw Stripe API key directly in the database as `access_token` with no indication of encryption, secret management, or user disclosure. If the database is accessed by another component, operator, or attacker, the key can be reused to query Stripe data and potentially perform privileged actions depending on the key's scope, making this especially sensitive in a financial/bookkeeping context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script prints raw transaction details including counterparties, dates, and amounts to stdout, which can expose sensitive financial data in terminal history, CI logs, shell transcripts, or shared debugging sessions. In a bookkeeping skill that processes bank and accounting records, this is more dangerous because the output directly reveals private business financial activity and vendor/customer relationships.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script prints raw spreadsheet row contents to stdout, which can expose sensitive bookkeeping data such as transactions, counterparties, account balances, and other financial details in terminal history, logs, CI output, or monitoring systems. In the context of a bookkeeping skill handling Mercury bank exports and financial statements, this debug output materially increases the risk of unintended data disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal