KSeF Accountant (Polish)

Security checks across malware telemetry and agentic risk

Overview

This appears to be an instruction-only accounting reference skill, but its financial examples should be treated as guidance to verify rather than production-ready automation.

Install only if you understand it as reference documentation. Before using its examples in real accounting systems, verify MPP payment flows, FA(3) validation, credential storage, and audit-report redaction against current Polish tax and banking requirements.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The documentation describes Polish split payment (MPP) as two ordinary transfers: one to the seller account and one to a separate VAT account. In practice MPP is a dedicated banking mechanism with a structured transfer message, and modeling it as manual dual transfers can cause regulatory non-compliance, payment misrouting, and broken accounting/payment controls. In an accounting skill for KSeF and Polish VAT, this is especially dangerous because users may implement the example literally and assume it is legally correct.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The helper is presented as pre-send validation for FA(3), but it only checks UTF-8 encoding, XML parsing, and a few literal substrings. This can mislead downstream code or operators into treating malformed or non-compliant invoices as validated, which may cause submission failures, compliance issues, or acceptance of attacker-crafted XML that bypasses expected business-rule validation.

Intent-Code Divergence

High

Confidence: 94% confidence
Finding: Dokument na początku twierdzi, że skill nie implementuje przechowywania tokenów ani integracji z Vault, ale później zawiera gotowy kod realizujący oba mechanizmy. Taka sprzeczność może wprowadzić użytkownika i skanery w błąd, obniżyć czujność oraz skłonić do przekazania sekretów lub wdrożenia niezweryfikowanych fragmentów w środowisku finansowym.

Intent-Code Divergence

Medium

Confidence: 81% confidence
Finding: Sekcja opisuje log jako 'immutable audit log', ale funkcja raportowa zwraca pełne wpisy audytowe, potencjalnie z polami identyfikacyjnymi jak session_id, IP czy user agent. To nie łamie niezmienności samego logu, ale tworzy ryzyko nadmiernego ujawnienia danych w raportach i błędnego poczucia bezpieczeństwa co do zakresu ekspozycji audytu.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal