ClawHub

Treeline Money

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for local finance querying, but it can access sensitive financial records and create persistent finance-memory files under broad trigger wording.

Review this skill before installing if you use Treeline with real financial data. It is best treated as a finance-data assistant with both read access and some user-confirmed write/admin workflows, not as a read-only balance checker. Use demo mode first, require explicit confirmation before imports, syncs, tagging, restores, or write-enabled SQL, and only allow saved Treeline user skills when you have reviewed exactly what financial details will be written.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as a finance chat/query capability, but its documented behavior includes multiple state-changing operations such as sync, import, tagging, restore, compact, demo toggling, and writing new skill files. This creates a capability/expectation mismatch that can lead an agent or user to authorize the skill for read-only use while it performs destructive or persistent actions on sensitive local financial data.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The manifest description uses broad, everyday finance language like querying balances, spending, budgets, and transactions without strong trigger boundaries. In an agent ecosystem, this can cause the skill to activate on common utterances and gain access to highly sensitive financial context more often than intended.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The question-mapping section contains vague prompts like 'Net worth?', 'Balances?', 'Savings?', and 'Recent transactions', which overlap with ordinary conversation. This increases the chance of unintended activation and disclosure of local financial data in situations where the user did not mean to invoke this specific skill.

Session Persistence

Medium
Category
Rogue Agent
Content
Treeline supports user-created skills for personal financial knowledge. Use `tl skills list --json` to discover existing skills and `tl skills read <path>` to read them.

**Creating skills:** When you learn something reusable about the user's finances — tag conventions, account meanings, tax categories, budget targets — ask if they'd like to save it as a skill for future conversations. To create one, write a SKILL.md file to `~/.treeline/skills/<name>/SKILL.md` (use `tl skills path` to get the directory). Follow the Agent Skills standard (agentskills.io).

---
Confidence
89% confidence
Finding
create one, write a SKILL.md file to `~/.treeline

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal