Security audit

QuickBooks Direct

Security checks across malware telemetry and agentic risk

Overview

This QuickBooks skill appears purpose-aligned, but it needs Review because it stores powerful accounting credentials in plaintext and can change live financial records without built-in safety controls.

Install only if you trust the publisher and are prepared to treat config.json as a sensitive secret. Start in a QuickBooks sandbox, avoid enabling autoStart for production, restrict file permissions, keep the skill directory out of version control and backups unless encrypted, and manually review every create, update, payment, bill, purchase order, and invoice-send action before allowing it to run against live company data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (10)

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The changelog presents contradictory security claims: version 1.0.0 states secure credential storage and token encryption, while version 1.0.1 explicitly warns that credentials are stored in plaintext in config.json. This inconsistency can mislead users into deploying the skill under false security assumptions, increasing the likelihood of credential exposure in a skill that handles accounting and payment-related OAuth secrets.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The authentication example explicitly says tokens will be saved to config.json but provides no guidance on securing that file, excluding it from version control, restricting permissions, or using a secrets store. In an accounting integration, OAuth tokens can grant access to sensitive financial records and actions, so normalizing insecure local token storage increases the chance of credential leakage and account compromise.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The examples contain realistic-looking customer, vendor, email, phone, address, invoice, and payment data across a broad accounting workflow without any privacy or safe-testing disclaimer. Even if illustrative, this can encourage users to paste real production financial and personal data into examples, increasing the risk of exposing PII and financial records in logs, screenshots, prompts, or non-production environments.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README documents tools that can create and send invoices in live QuickBooks data without emphasizing confirmation, dry-run behavior, or human review before execution. In a financial automation skill, this increases the risk of accidental destructive or fraudulent business actions such as issuing incorrect invoices or modifying accounting records.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises capabilities to create invoices, payments, bills, purchase orders, and other accounting records, but the documentation does not prominently warn that these actions can modify live financial systems and company books if pointed at production. In a finance/accounting integration, insufficient warnings materially increase the chance of accidental destructive or unauthorized business-impacting actions by users or agents.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The troubleshooting guide instructs users to delete config.json as part of recovery without warning that the file likely contains OAuth credentials, tokens, and local configuration. This can cause avoidable credential loss, re-authentication disruption, and unsafe operator behavior if users follow destructive commands blindly.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide recommends force-killing whatever process is listening on port 3000, including with /F, without warning that the process may belong to an unrelated application. In operational environments, this can cause unintended service interruption or loss of unsaved work.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The emergency reset section instructs users to delete node_modules and config.json without caution about data loss, secret removal, or the need to re-enter credentials. While this is framed as troubleshooting, it normalizes destructive remediation steps that can harm availability and increase the chance of mishandling sensitive configuration.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code persists highly sensitive OAuth material and the QuickBooks client secret in a local JSON file in plaintext. If the host is multi-user, compromised, backed up to insecure locations, or the workspace is later exposed, an attacker can reuse the refresh token and client secret to obtain ongoing access to the victim's QuickBooks data.

Credential Access

High

Category: Privilege Escalation
Content: ### Token Management - **Access tokens** expire after 1 hour (refreshed automatically) - **Refresh tokens** last 100 days (renewed on refresh) - The skill automatically refreshes tokens before they expire - Re-authenticate if you see "Not authenticated" errors
Confidence: 97% confidence
Finding: Access tokens

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal