Hledger

Security checks across malware telemetry and agentic risk

Overview

This hledger wrapper has a real command-injection risk that can let crafted input run unintended local shell commands.

Review carefully before installing. Use this only in a trusted local environment, and prefer a fixed version that uses spawn or execFile with validated hledger arguments, explicit file limits, and clear user confirmation before running local commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The skill passes untrusted user input directly into `child_process.exec` via string interpolation, which invokes a shell. This enables command injection, allowing an attacker to append arbitrary shell operators and execute system commands under the agent's privileges; the lack of user-facing warning is secondary to the more serious unsafe execution design.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The package metadata describes the skill in very broad terms such as 'Run hledger CLI commands' and 'Execute hledger commands and return output' without constraining which commands, arguments, or data sources are allowed. For a skill that wraps a CLI, this ambiguity can enable overbroad invocation and make it easier for downstream components or users to trigger sensitive ledger operations beyond the intended scope.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal