Expense Report Generator

Security checks across malware telemetry and agentic risk

Overview

This expense-tracking skill is purpose-aligned and discloses that expense data persists through an external SkillBoss service, with no evidence of hidden or destructive behavior.

Install only if you are comfortable sharing expense amounts, categories, and budget data with the SkillBoss-backed service using your API key. Avoid entering bank credentials, card numbers, or sensitive account details unless the service’s privacy and retention terms are acceptable to you.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrases are broad enough to match common expense-related requests, which can cause the skill to activate when the user did not explicitly intend to use it. In a user-invocable skill with write permissions, unintended invocation increases the chance of incorrect processing or unexpected file output, even though the skill itself is not overtly malicious.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill declares write capability but does not clearly state when files may be created or modified, which reduces transparency and can lead to unexpected persistence of user data. Because the skill handles financial information, silent or poorly explained writes may expose sensitive expense details or create artifacts the user did not expect.

VirusTotal

38/38 vendors flagged this skill as clean.

View on VirusTotal