ClawHub

MILKEE Swiss Accounting

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims for MILKEE accounting, but its documentation includes realistic API-token examples and grants account-level business-data access, so users should review it carefully before installing.

Install only if you trust the publisher and are comfortable granting MILKEE account access. Use a dedicated or least-privileged API token if MILKEE supports it, avoid copying the example tokens, keep your real token out of git, logs, screenshots, and shell history, rotate any token that may have been exposed, and review create/update/log-time actions before letting an agent run them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares required environment variables but does not declare permissions despite clearly requiring environment access, network access to the MILKEE API, and local file read/write for timer persistence. This is dangerous because the runtime/operator may not have clear visibility into the skill's effective capabilities, weakening review and consent around access to credentials, network egress, and filesystem writes.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The documentation includes a live-looking bearer token in the authentication example (`USER_ID|API_KEY` with concrete values), which is sensitive credential material even if presented as sample data. In an accounting integration context, exposed API credentials could grant unauthorized access to company financial, customer, project, and time-tracking data, and the presence of a realistic token format makes accidental reuse or abuse more likely.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The installation guide shows a realistic full API token in an example and does not clearly label it as fake, revoked, or non-functional. Readers may accidentally reuse it, treat it as valid, or propagate it into logs, screenshots, and repositories; if the credential is real, it would enable unauthorized access to MILKEE account data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to store the API token directly in a JSON config file in plaintext without warning at that step about file permissions, secret exposure, or safer secret-loading options. This increases the chance of credential leakage through backups, dotfile sync, local compromise, screenshots, or accidental commits, especially since this is an accounting integration handling potentially sensitive business data.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The documentation states that timer state is persisted to ~/.milkee_timer and survives between sessions, but it does not clearly warn users that the skill writes local data to disk or describe what fields are stored and for how long. While low severity, undisclosed persistence can surprise users, create minor privacy concerns, and leave stale work metadata on shared systems.

Missing User Warnings

High
Confidence
99% confidence
Finding
This reference file publishes a concrete bearer credential example without any security warning or masking, which normalizes unsafe secret-handling practices and may directly expose an actual credential. Because this skill integrates with MILKEE accounting APIs for Swiss businesses, compromise could expose or modify sensitive business records such as customers, projects, billable time, and related operational data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation shows a concrete, live-looking `USER_ID|API_KEY` example without clearly stating that it is synthetic or safe to publish. Even if intended as a placeholder, realistic credential examples can be mistaken for real secrets, copied into systems, or indexed by scanners, creating avoidable secret-exposure risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The verification section instructs users to export credentials directly in the shell, which can expose secrets through shell history, terminal logs, process inspection, or recorded sessions. In a skill that relies on API access to accounting and time-tracking data, this operational guidance increases the chance of credential leakage during setup and troubleshooting.

Ssd 3

High
Confidence
87% confidence
Finding
The example token appears realistic enough to be treated as a potentially real credential, which creates a direct secret exposure concern if it was copied from an actual environment or later harvested by automated indexing and credential scanners. Because this skill integrates with MILKEE accounting data for Swiss businesses, exposure of a valid token could allow unauthorized access to sensitive business records.

Ssd 3

High
Confidence
98% confidence
Finding
The verification instructions embed a concrete API token value in plaintext shell commands, normalizing unsafe handling of secrets and potentially exposing a real credential anywhere the documentation is stored, viewed, logged, or copied. Since the token is for an accounting integration, compromise could grant access to customer, project, product, and time-entry data, making the context more sensitive than a low-risk demo service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal