ClawHub

Fundraising Advisor

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate fundraising assistant, but it should be reviewed because it handles sensitive financial documents and can save generated reports locally by default with uneven disclosure.

Install only if you are comfortable sharing confidential fundraising and financial details with this local skill. Be careful with PDFs and generated reports: review where the output directory is, disable PDF generation when not needed, and remove or encrypt reports that contain sensitive company or deal data. Treat valuation and investor recommendations as advisory estimates, not legal, accounting, or investment advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill demonstrates file read/write capabilities by offering to save generated documents and by importing local JSON data, yet the manifest declares no required permissions. This creates a transparency and consent gap: operators and users cannot accurately assess what the skill may access or persist, which is especially risky given the highly sensitive financial, valuation, and investor data the skill handles.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared description frames the skill as a fundraising advisor, but the documented behavior expands into investor-side deal analysis, recommendation generation, due diligence support, and business plan/memo creation. This mismatch undermines informed consent and trust boundaries, because a user or platform may activate the skill expecting founder-focused assistance while it also performs materially different high-stakes financial analysis workflows.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation says the skill cannot read external files or documents, while the manifest advertises PDF processing and OCR. Contradictory statements about data access create unsafe operator assumptions: users may disclose confidential files believing they will not be processed, or defenders may under-scope review of file-handling behavior.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The manifest advertises PDF processing and OCR, but the body of the skill only describes conversational data handling and explicitly states it cannot read external files. This is a serious specification inconsistency around file ingestion, which can lead to unauthorized expectations of document access, improper deployment decisions, and mishandling of sensitive financial records.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation encourages OCR and PDF parsing of financial statements and scanned documents, which are likely to contain sensitive business and personal data, but it provides no warning about privacy, confidentiality, retention, or secure handling. In a fundraising advisory context, this is more dangerous because users are specifically likely to process investor materials, financials, and corporate documents that may contain highly sensitive information.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The documentation states that generated PDF reports will be saved to an output directory but does not warn users that potentially sensitive assessment and valuation reports will be written to disk. In this skill's context, those reports may contain confidential fundraising data, so silent local persistence increases the risk of unintended disclosure through shared machines, backups, or insecure file permissions.

Vague Triggers

Medium
Confidence
82% confidence
Finding
An overly broad trigger phrase can cause the skill to activate on ordinary conversation, increasing the chance it processes sensitive business or financial data unexpectedly. In an agent environment, ambiguous invocation boundaries can lead to unintended execution, surprise data handling, and confusion about which skill is operating.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The closing call-to-action uses a generic phrase that could overlap with normal user conversation, making accidental activation more likely. Because this skill handles fundraising, valuation, and potentially PDF-derived financial content, unintended routing could expose confidential startup data to the wrong workflow or processing path.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation conditions use broad phrases such as asking for help with fundraising, assessment, recommendations, or analysis, which can cause the skill to trigger in situations where the user did not intend to engage a finance-focused advisor. Unintended activation increases the chance of collecting sensitive startup or investor data unnecessarily and of producing high-stakes financial guidance out of context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill is designed to solicit highly sensitive company, financial, fundraising, valuation, and investor information, but it does not present a clear upfront warning or data-handling notice at activation. In this context, omission of sensitivity guidance is dangerous because users may share confidential business information without understanding the privacy, retention, and exposure implications.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The quick-command examples are generic natural-language phrases such as "Assess my startup project" and "Create an investment memo," which can plausibly appear in ordinary user conversation and may unintentionally trigger the skill. In an agent environment, ambiguous activation can expose sensitive startup or financial data to the wrong workflow, produce unsolicited advisory outputs, or bypass clearer user-consent boundaries.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The example trigger begins with the very broad phrase "I need help preparing for Series A fundraising," which is common conversational language and could be matched accidentally in routine dialogue. Because this skill handles confidential fundraising, valuation, and investor-matching tasks, unintended activation raises the risk of processing sensitive business information without explicit intent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
`startup_package()` enables `generate_pdf=True` by default and writes reports into a local `output` directory without an explicit opt-in or warning. In an agent environment, this can create unintended persistent artifacts containing sensitive startup financials, valuations, and assessment data, increasing the risk of local data exposure or accidental retention.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
`investor_package()` also defaults to generating and persisting a PDF memo on disk without explicit consent. Because the memo may summarize diligence and valuation judgments about a target company, silent file creation can leak confidential deal-analysis material in shared or ephemeral execution environments.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pytest-mock>=3.12.0

# Code quality
black>=23.0.0
ruff>=0.1.0
mypy>=1.7.0
isort>=5.12.0
Confidence
97% confidence
Finding
black>=23.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
sphinx-rtd-theme>=1.3.0

# Development tools
ipython>=8.12.0
jupyter>=1.0.0
Confidence
99% confidence
Finding
ipython>=8.12.0

Known Vulnerable Dependency: pytest — 1 advisory(ies): CVE-2025-71176 (pytest has vulnerable tmpdir handling)

Low
Category
Supply Chain
Confidence
72% confidence
Finding
pytest

Known Vulnerable Dependency: black — 3 advisory(ies): CVE-2026-32274 (Black: Arbitrary file writes from unsanitized user input in cache file name); CVE-2024-21503 (Black vulnerable to Regular Expression Denial of Service (ReDoS)); CVE-2024-21503 (Versions of the package black before 24.3.0 are vulnerable to Regular Expression)

High
Category
Supply Chain
Confidence
98% confidence
Finding
black

Known Vulnerable Dependency: ipython — 10 advisory(ies): CVE-2023-24816 (IPython vulnerable to command injection via set_term_title); CVE-2015-6938 (Improper Neutralization of Input During Web Page Generation in Jupyter Notebook); CVE-2015-4707 (Improper Neutralization of Input During Web Page Generation in IPython) +7 more

Critical
Category
Supply Chain
Confidence
99% confidence
Finding
ipython

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal