Mortgage

Security checks across malware telemetry and agentic risk

Overview

This mortgage helper is local-only and purpose-aligned, though users should treat it as educational support and avoid relying on it for lender or loan decisions.

Install only if you are comfortable entering mortgage-related financial details into local workspace memory. Use it for estimates, checklists, and organization, not as mortgage advice; verify lender terms with licensed professionals and be aware that several referenced helper scripts are not included in this package.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill explicitly says it will 'NEVER recommend specific lenders,' yet it includes lender comparison functionality and stores 'lender comparison notes.' Even if framed as comparison rather than recommendation, this creates a policy-boundary ambiguity that could lead the agent to influence regulated financial decisions or drift into personalized lender recommendations.

Intent-Code Divergence

Medium

Confidence: 77% confidence
Finding: The file states there is 'No connection to lender systems' but later instructs tracking a mortgage application by application ID, which implies access to live external status unless clearly simulated or user-maintained. This inconsistency can mislead users about data flows and privacy, causing them to expose sensitive application identifiers under false assumptions about how tracking works.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal