Back to skill

Security audit

Zk Bankir Monitor

Security checks across malware telemetry and agentic risk

Overview

This looks like a financial monitoring skill with under-disclosed write and server-admin capabilities that users should review carefully before installing.

Install only if you understand that this is not purely read-only as documented. Use it only on localhost or a trusted internal network, avoid real treasury or approval workflows until authentication and TLS are in place, and require explicit human confirmation before any POST or local Rails runner action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill invokes shell commands (`curl`, `jq`, and a local `bin/rails runner`) but does not declare permissions or otherwise constrain shell execution. In an agent setting, undeclared command execution increases the risk of operators assuming the skill is passive documentation when it can actually trigger network access and local process execution.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is described repeatedly as a read-only monitor, yet it includes a `POST /api/v1/decisions` example that creates new decisions and changes system state. This mismatch can mislead an agent or operator into executing a write operation in a supposedly safe monitoring workflow, potentially initiating financial actions or approval flows.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill markets itself as API-based monitoring but instructs local server-side execution of `bin/rails runner`, which is materially different from remote read-only API access. This broadens the trust and privilege boundary from simple HTTP queries to local code execution on the banking server, increasing the chance of misuse or unsafe automation.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Including a local Rails runner command in a monitoring skill introduces unnecessary local execution capability that is not justified by the advertised curl-based monitor use case. Even if the provided command is read-oriented, invoking framework code locally on a treasury server expands the attack surface and can normalize dangerous execution patterns in automation.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The compliance section claims the skill is read-only and never performs unsafe operations, but earlier content documents a write-capable POST request. This contradictory documentation can cause users and automated systems to overtrust the skill and run state-changing operations under a false assumption of safety.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly states the API has no authentication and uses plain HTTP, yet the examples do not prominently warn that treasury balances, decision data, and operational metadata will be transmitted in cleartext and exposed to unauthorized access on non-local networks. For financial monitoring, this can leak sensitive information and enable interception or tampering if used beyond localhost.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The POST example changes application state but is presented alongside read-only monitoring guidance without a clear warning or confirmation barrier. In agent-driven execution, that omission makes accidental mutation more likely, especially because users may rely on the skill's repeated 'read-only' framing.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The admin endpoint example exposes approval workflow data that may include sensitive operational or financial context, but the documentation does not warn about its sensitivity or access implications. While this is less severe than the write and local-execution issues, it still encourages broad disclosure of privileged information in a banking context.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.