ClawHub

MS Financial Model

Security checks across malware telemetry and agentic risk

Overview

This is a local Excel financial-model generator with ordinary file-writing and language-default caveats, but no hidden network, credential, persistence, or destructive behavior was found.

Install this only if you want a local Python/openpyxl tool that writes valuation workbooks. Choose the output path carefully to avoid overwriting an existing file, set --lang en if English output is needed, and independently review all financial assumptions before relying on the model.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description uses very broad trigger conditions such as whenever a user needs financial modeling, valuation, sensitivity analysis, or comps, without defining exclusions, required confirmations, or scope limits. This can cause the skill to activate in contexts where the user did not explicitly request file generation or where the task needs safer handling, increasing the risk of unintended actions and overreach.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The skill instructs creation of .xlsx output files and shows concrete output paths, but does not warn that files may be created, overwritten, or placed in user-accessible directories. In an agent setting, silent file creation can surprise users, overwrite existing workbooks, or leak sensitive financial outputs into unintended locations.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill defaults to Simplified Chinese for all sheet titles, labels, and notes without explicit user opt-in. In mixed-language or enterprise environments, this can lead to confusing outputs, downstream processing errors, or accidental disclosure to recipients who are not expecting non-default localization.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal