Invoice Generator

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only invoice helper whose local invoice saving is disclosed and aligned with its purpose, though users should treat saved invoice data as sensitive.

Before installing, understand that the skill is meant to save invoice records and reuse business details. Keep the invoices/ folder private, avoid storing unnecessary bank or payment details, and delete old invoice records when they are no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The invocation examples are very broad and natural-language based, which can cause the skill to activate on ordinary billing-related conversation without clear user intent to invoke this specific capability. In an agent environment, ambiguous triggers can lead to unintended generation of invoices or disclosure/use of business data in the wrong workflow.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to save invoices, reuse business details, list invoices, and track client invoice history, which implies persistent storage of sensitive business and client data such as names, addresses, emails, payment details, and billing records. There is no guidance on user consent, data minimization, retention, access controls, or safe handling, creating a realistic risk of unauthorized retention or disclosure of financial and personal information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal