Back to Skills
Financial Services

Anthropic Financial Services

Vetted and production-tested agent skill.

Anthropic Financial Services โ€” Vetted & Hardened by AgentVet

**๐Ÿ›ก๏ธ AgentVet Vetted โ€” Audited 2026-05-14**

**Overall Rating: MODERATE RISK โ†’ HARDENED (with patches)**

**Audit Method: Cross-model verification (DeepSeek V4 Pro + Grok 4.3)**

---

Overview

Anthropic's `claude-for-financial-services` is the most ambitious open-source agent release for Wall Street we've seen. It ships 11 purpose-built agents โ€” each a self-contained plugin that owns a financial workflow end-to-end: from pitch deck generation through earnings review, KYC screening, and GL reconciliation. It plugs into 11 real-world financial data connectors (FactSet, Moody's, S&P Global, LSEG, PitchBook, Morningstar, and more) and runs in two modes: as a Claude Cowork plugin or as a headless Managed Agent via Anthropic's API.

Financial services firms are already studying this code. It's the closest thing to a production-ready agent blueprint for investment banking, equity research, private equity, and wealth management that exists in open source.

**But "open source" does not mean "safe to deploy."**

That's where AgentVet comes in.

We put the entire repository through a rigorous cross-model security audit โ€” two frontier models (DeepSeek V4 Pro and Grok 4.3) independently scrutinizing every agent, every skill, every handoff pattern. Each model catches blind spots the other misses. What they found: the agents are impressively well-structured, but they carry real risk for firms that deploy them without hardening.

We've applied four critical patches. We've documented what's left for you to handle. Here's everything you need to know.

---

What We Found โ€” Key Audit Findings

The 11 agents collectively contain ~8,000+ lines of system prompts, skill definitions, and orchestration code. Across both models' analyses, four categories of concern emerged:

SeverityFindingAgents Affected
**HIGH**Regex-based tool call handoffs โ€” brittle, injectable, no type safetyAll 11
**HIGH**PII-bearing fields in KYC Screener pass through unclassified and unredactedKYC Screener
**MEDIUM**Bash execution path in Model Builder subagent (unconstrained)Model Builder
**MEDIUM**MCP connector security guidance absent โ€” 11 financial data connectors, no auth validation notesAll agents using connectors

These aren't theoretical. In a financial services context, any one of these becomes a regulatory or data-exfiltration vector.

---

The Agents

All 11 agents are reference implementations โ€” starting points Anthropic expects firms to customize with their own data providers, terminology, and process standards. Our audit applies to the agents as-shipped.

### Coverage & Advisory

  • **Pitch Agent** โ€” Builds branded pitch decks from comparable company analysis, precedent transactions, and LBO models. Ingest โ†’ analyze โ†’ slide deck, end to end.
  • **Meeting Prep Agent** โ€” Drafts client briefing packs before meetings. Pulls recent filings, market data, and prior engagement notes into a single prep doc.

### Research & Modeling

  • **Market Researcher** โ€” Takes a sector or theme, returns industry overview, competitive landscape, peer comparisons, and an ideas shortlist. The research engine.
  • **Earnings Reviewer** โ€” Processes earnings call transcripts and SEC filings, then updates financial models and drafts research note outlines. Automates the earnings cycle.
  • **Model Builder** โ€” Builds and updates DCF, LBO, three-statement, and comps models directly in Excel. This is the agent that warranted our most critical patch (see Fix 3).

### Fund Admin & Finance Ops

  • **Valuation Reviewer** โ€” Ingests GP packages, runs valuation templates, stages LP reporting. For private equity fund administration.
  • **GL Reconciler** โ€” Identifies general ledger discrepancies, traces root causes, and routes items for sign-off. Audit-trail aware.
  • **Month-End Closer** โ€” Handles accruals, rollforwards, and variance analysis commentary. Automates the close cycle.
  • **Statement Auditor** โ€” Reviews and validates LP financial statements before distribution. Built for fund admin teams.

### Operations & Onboarding

  • **KYC Screener** โ€” Parses onboarding documents, runs rule-based checks, and flags missing or inconsistent items. Handles the most sensitive data in the suite (see Fix 2).
  • *(Plus 2 partner-built agents from LSEG and S&P Global โ€” evaluated but outside core patch scope.)*

---

What Changed โ€” The Four AgentVet Patches

These aren't suggestions. They're fixes we've applied to our hardened fork. Each addresses a vulnerability that would fail a SOC 2 or SOX control review.

### Fix 1: Typed Tool Calls Replacing Regex Handoffs

**Severity: HIGH ยท All 11 Agents**

**What we found:** Agent-to-agent handoffs throughout the repository use regex patterns to parse and route tool call output strings. This is the 2026 equivalent of concatenating SQL strings โ€” functional but fundamentally unsafe. A malicious or malformed output from one agent can inject into the handoff parser and redirect execution. Worse, when the tool output format changes upstream, these handoffs silently break with no type-level warning.

**What we patched:** Every regex-based handoff has been replaced with typed `ToolCall` and `ToolResult` structs validated against JSON Schema. Handoff routing now uses discriminated unions (`tool_call.name` โ†’ typed handler) rather than pattern matching against raw strings. The compiler (TypeScript strict mode, Python with Pydantic) catches mismatches before deployment.

**Risk before patch:** Handoff injection, silent failures on format drift.

**Risk after patch:** Compile-time safety, format-agnostic routing, injection-resistant.

### Fix 2: PII Classification on KYC Fields

**Severity: HIGH ยท KYC Screener**

**What we found:** The KYC Screener parses onboarding documents โ€” passports, driver's licenses, utility bills โ€” and extracts what it finds into unstructured text fields. The extracted data (full names, ID numbers, addresses, dates of birth) flows through the agent's context window with no classification, no redaction, and no data-handling annotations. In a Claude Cowork session, this means sensitive PII hits Anthropic's API unlabeled. Under GDPR, POPIA, and NYDFS Part 500, that's a reportable data flow.

**What we patched:** All KYC extraction fields are now tagged with PII classification labels (`PII_NAME`, `PII_ID_NUMBER`, `PII_ADDRESS`, `PII_DOB`) using a classification layer that runs before the data enters the main agent context. Fields classified as HIGH-sensitivity are replaced with anonymized tokens in the prompt context, with a mapping table held in-memory only (never logged, never persisted). Audit logging records which PII types were accessed, not the values.

**Risk before patch:** Unclassified PII flowing to third-party API, regulatory exposure.

**Risk after patch:** Classified, tokenized, audit-logged. GDPR/POPIA Article 30 ready.

### Fix 3: Bash Removed from Model Builder Subagent

**Severity: MEDIUM ยท Model Builder**

**What we found:** The Model Builder agent's `model-builder` subagent includes a `bash` tool that allows arbitrary shell execution in the agent's runtime environment. The justification is innocuous โ€” "run Excel automation scripts" โ€” but there are no constraints on what commands can execute, no allowlist, and no audit trail. A prompt injection through any input channel (earnings data, a company name, a ticker) could pivot through this bash access to exfiltrate the Excel session, read environment variables, or establish persistence.

**What we patched:** The `bash` tool has been removed entirely from the Model Builder subagent. Excel automation now routes through a constrained `excel_run` tool that accepts only a predefined set of operations (`open_workbook`, `apply_formula`, `format_range`, `refresh_data`, `save_as`) with parameter validation on each. No arbitrary execution path remains.

**Risk before patch:** Arbitrary shell execution, prompt injection โ†’ code execution bridge.

**Risk after patch:** Zero shell access. Constrained, parameterized Excel operations only.

### Fix 4: MCP Security Guidance Added

**Severity: MEDIUM ยท All Agents Using Connectors**

**What we found:** The repository ships with 11 MCP data connectors (FactSet, Moody's, S&P Global, LSEG, PitchBook, Morningstar, Daloopa, Aiera, MT Newswires, Chronograph, Egnyte). Each connects Claude to live financial data. The `.mcp.json` references URLs and notes that "MCP access may require a subscription or API key," but there is zero guidance on: authentication validation, transport security expectations, what data these connectors can access, or how to verify the connector hasn't been tampered with. A compromised MCP endpoint (man-in-the-middle, supply chain, DNS hijack) feeds poisoned financial data directly into an agent that's building models and writing research notes.

**What we patched:** We've added a `MCP_SECURITY.md` to every agent's plugin directory, covering:

  • Expected TLS version and pinned certificate details for each connector
  • Principle of least privilege โ€” what data each connector should access vs. what it can access
  • Auth rotation recommendations (API key lifecycle, revocation procedures)
  • Connector fingerprinting โ€” how to hash-verify connector responses haven't been tampered with
  • A pre-flight validation script (`scripts/validate-connectors.sh`) that tests connectivity, auth, and response integrity before agent startup

**Risk before patch:** Blind trust in 11 external data pipes, no verification framework.

**Risk after patch:** Documented trust boundaries, fingerprint verification, pre-flight validation.

---

How to Install

### Option 1: AgentVet Hardened Fork (Recommended)

Our hardened version is a drop-in replacement for the upstream repository. It applies all four patches and adds the security documentation and validation scripts.

# Clone our hardened fork
git clone https://github.com/agentvet/claude-for-financial-services.git
cd claude-for-financial-services

# Add to Claude Cowork
claude plugin marketplace add $(pwd)

# Install the agents you need
claude plugin install pitch-agent@claude-for-financial-services
claude plugin install market-researcher@claude-for-financial-services
claude plugin install gl-reconciler@claude-for-financial-services

# Run pre-flight connector validation
./scripts/validate-connectors.sh

> **Note:** The AgentVet fork at `github.com/agentvet/claude-for-financial-services` is being prepared for public release. In the interim, you can apply patches manually from our PATCHES.md (below).

### Option 2: Apply Patches Manually

If you already have the upstream `anthropics/financial-services` repo configured:

# Download our patch bundle
curl -O https://agentvet.io/skills/patches/anthropic-financial-services-v1.patch

# Apply against upstream
cd anthropics/financial-services
git apply anthropic-financial-services-v1.patch

# Run validation
python3 scripts/check.py --vet

### Option 3: Claude Desktop + Cowork (Quick Start)

1. Open Claude Cowork โ†’ Settings โ†’ Plugins โ†’ Add plugin

2. Paste: `https://github.com/agentvet/claude-for-financial-services`

3. Select the agents you want from the marketplace list

4. Run `scripts/validate-connectors.sh` before first use

5. Review `MCP_SECURITY.md` in each agent directory for connector-specific hardening

---

Remaining Hardening Steps (User Responsibility)

Our patches address the most urgent risks โ€” the ones that could cause immediate regulatory or data-exfiltration exposure. But full production hardening requires more. These are the Phase 2 and Phase 3 items from our audit that you must complete before deploying in a regulated environment.

### Phase 2 โ€” Deploy with Confidence

#StepEffortWhat It Blocks
1**Programmatic approval gates** โ€” Intercept tool calls that write to external systems (Excel save, email send, report publish) and require human sign-off before executionMediumUnauthorized output, model hallucination reaching production
2**DLP scanning** โ€” Add a data loss prevention layer that scans agent outputs for patterns matching account numbers, SSNs, CUSIPs, and internal deal codes before they leave the agent contextMediumAccidental data leakage through model responses
3**Audit logging** โ€” Every agent action (tool call, handoff, data connector query) should generate a structured, tamper-evident audit log. Our fork adds the hooks; you need to point them at your SIEMMediumSOC 2 / SOX audit trail requirements
4**Prompt injection monitoring** โ€” Deploy a prompt injection classifier that runs on every user input and every tool response before it re-enters the agent loopMedium-HighPrompt injection (indirect + direct)

### Phase 3 โ€” Enterprise Hardened

#StepEffortWhat It Blocks
5**Certificate pinning** โ€” Pin TLS certificates for all 11 MCP connectors. Our MCP_SECURITY.md documents the expected certs; implement enforcement at the transport layerLow-MediumMan-in-the-middle on financial data pipes
6**Data residency controls** โ€” Ensure agent execution, model inference, and data connector traffic stay within your jurisdiction's boundaries. Some connectors route through US infra by defaultHighGDPR, POPIA, and APAC data sovereignty requirements
7**Subagent sandbox hardening** โ€” Managed Agent subagents need per-subagent resource limits (CPU, memory, network egress) and timeouts. Anthropic's preview doesn't expose these yetMediumDenial-of-wallet, runaway subagent resource consumption
8**Model output validation** โ€” Financial model outputs (DCF valuations, comps spreads) should pass through a deterministic validation layer that flags statistically anomalous results before they reach an analyst's screenHighModel hallucination producing misleading financial analysis

**We can help with any of these.** AgentVet's hardening service covers Phase 2 and Phase 3 for firms that want a fully-audited deployment. [Contact us](https://agentvet.io) for a scoping call.

---

Full Audit Report

Our complete 47-page audit report covers:

  • Per-agent vulnerability breakdown
  • Cross-model disagreement analysis (where DeepSeek V4 Pro and Grok 4.3 diverged โ€” and what we did about it)
  • Prompt injection test results across all 11 agents
  • MCP connector security assessment (all 11 connectors individually tested)
  • Compliance gap analysis (SOC 2, SOX, GDPR, POPIA, NYDFS Part 500)
  • Remediation verification (re-test results after our four patches)

**[Download Full Audit Report โ†’](https://agentvet.io/skills/audits/anthropic-financial-services-2026-05-14.pdf)**

---

Trust Badge

โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘                                                  โ•‘
โ•‘   ๐Ÿ›ก๏ธ  AGENTVET VETTED                           โ•‘
โ•‘                                                  โ•‘
โ•‘   Anthropic Financial Services Agents            โ•‘
โ•‘   v1.0 โ€” Audited 2026-05-14                      โ•‘
โ•‘                                                  โ•‘
โ•‘   Rating:   MODERATE RISK โ†’ HARDENED             โ•‘
โ•‘             (with AgentVet patches applied)       โ•‘
โ•‘                                                  โ•‘
โ•‘   Method:   Cross-model (DeepSeek V4 Pro         โ•‘
โ•‘             + Grok 4.3)                          โ•‘
โ•‘                                                  โ•‘
โ•‘   Patches:  4 critical fixes applied             โ•‘
โ•‘   Remaining: 8 hardening steps (user resp.)      โ•‘
โ•‘                                                  โ•‘
โ•‘   Verify:    agentvet.io/skills/anthropic-       โ•‘
โ•‘              financial-services                  โ•‘
โ•‘                                                  โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

---

Why AgentVet + Cross-Model Verification?

Traditional security audits use one tool, one analyst, one perspective. AI agent auditing demands more. The attack surface isn't just code โ€” it's prompt logic, handoff patterns, tool call chains, and indirect injection vectors through data connectors. A single model reviewing this code will have blind spots. It's the nature of LLMs: they're trained differently, they reason differently, they miss different things.

Our cross-model methodology runs two frontier models from different architecture families against the same codebase:

  • **DeepSeek V4 Pro** โ€” strengths in code-level analysis, injection vector detection, and structural reasoning. Catches implementation bugs and unsafe patterns.
  • **Grok 4.3** โ€” strengths in systems thinking, compliance mapping, and "what would an attacker do?" adversarial reasoning. Catches architectural blind spots and regulatory gaps.

When both models flag something โ†’ confirmed finding. When only one flags โ†’ we investigate manually. When they disagree โ†’ that's often where the most interesting vulnerabilities live.

This is the standard every financial services agent should be held to before touching real data.

---

*AgentVet is not affiliated with Anthropic. The claude-for-financial-services repository is ยฉ Anthropic and used under its license terms. Our audit and patches are independent security hardening, not endorsement or certification by Anthropic.*

Get the full skills pack

Enter your email to download all 15 AgentVet skills as a pack. No spam, just occasional updates on new skills.

AgentVet provides independent security vetting. Skills are not affiliated with their original creators unless stated.