Spend Intelligence

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only spend analysis skill that fits its stated finance purpose, though users should treat any company transaction data they provide as sensitive.

Safe to install as a guidance-only analysis framework. Before using it, provide only the fields needed for spend analysis and redact bank account numbers, tax IDs, payment credentials, employee personal data, confidential contract terms, and unrelated vendor details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly asks for transaction and spending data, which commonly contains sensitive business and financial information, but provides no warning, minimization guidance, or handling safeguards. This creates a realistic risk that users will paste confidential invoices, vendor details, account identifiers, or other sensitive data into the system without understanding the privacy implications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal