Wallet (By Budgetbakers)

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed read-only helper for querying a user's BudgetBakers Wallet data, with the main risk being careful handling of the Wallet API token and financial output.

Use this only if you trust the publisher and want your agent to read Wallet financial data. Keep WALLET_API_TOKEN out of chats, logs, screenshots, and committed files, set it only in environments where the skill should run, and revoke or rotate the token when it is no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill requires a sensitive `WALLET_API_TOKEN` and shows users how to export it, but it does not warn against leaking the token through shell history, logs, screenshots, shared terminals, or agent outputs. Because this skill accesses personal finance data, token exposure could let an attacker retrieve sensitive account, transaction, budget, and category information from the user's Wallet API.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal