Emissor de Nota Fiscal Paulistana

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real São Paulo invoice automation skill, but it gives the agent sensitive tax authority while handling certificates, stored records, and email sharing too loosely.

Install only if you are comfortable granting this skill authority over real municipal tax operations. Keep the certificate and .env out of synced/shared folders and source control, restrict file permissions, require explicit confirmation before every production issue/cancel action and every email send, and periodically delete or protect debug XML and exported accounting JSON files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (19)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The documented behavior goes beyond invoice issuance/cancellation into report extraction and financial balance handling. Expanding operational scope beyond the described purpose increases the chance that users authorize a billing skill without understanding it can also access broader accounting data.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: A dedicated accounting-report workflow is included even though the stated skill purpose is emission and cancellation of NFS-e. This hidden scope expansion is risky because it authorizes access to sensitive historical financial records that are not necessary for the primary task.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill instructs autonomous invocation of another email-management skill to send invoice PDFs, creating cross-skill data transfer that is not clearly justified by the stated scope. This can leak invoice metadata and recipient information outside the immediate workflow without clear disclosure or approval.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill adds export-and-email behavior for accounting JSON files, which extends beyond invoice issuance/cancellation and exposes broader financial data. Because accounting exports may contain comprehensive business records, this creates unnecessary exfiltration risk relative to the stated purpose.

Context-Inappropriate Capability

Low

Confidence: 95% confidence
Finding: The script writes the full SOAP response from the municipality to a local file unconditionally. These responses may contain invoice identifiers, taxpayer data, validation errors, and other sensitive business information that can persist on disk and be read later by other users, processes, backups, or log collectors.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The webservice methods invoke endpoints using plain HTTP while sending XML that contains taxpayer identifiers, invoice details, and cancellation data. Even if wrapped in SOAP, HTTP provides no transport confidentiality or integrity, allowing interception, tampering, replay, or response manipulation by an attacker on the network path.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README explicitly instructs users to provide sensitive business identifiers such as CNPJ and municipal registration through chat, but does not warn about retention, logging, model-provider exposure, or privacy boundaries. In the context of a tax invoicing skill, these identifiers are operationally sensitive and could be captured by chat history, telemetry, or other agents, increasing the risk of credential and business-data leakage.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The README tells users to place their digital certificate (.p12/.pfx) directly into the project folder, which is a highly sensitive authentication artifact used for municipal tax operations. Storing such material in a general skill directory materially raises the chance of accidental exposure through backups, source control, broad filesystem permissions, or access by other tools and agents.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs autonomous copying/renaming of env.example to .env and editing config.json before any user-facing warning or approval. Silent file writes in a sensitive billing skill reduce user awareness and can alter operational or security-relevant configuration without informed consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill mandates autonomous email sending of invoice-related data without a clear privacy warning. Even sending a PDF link can disclose tax records, customer association, and financial activity to an unintended or unreviewed recipient.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs sending generated accounting JSON by email without warning that it may contain sensitive financial and client data. Because these exports can represent a broad snapshot of business operations, unauthorized or accidental transmission could materially harm confidentiality.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script writes the private key and certificate to a temporary PEM file on disk to satisfy the requests client-certificate interface. Even though the file is deleted in a finally block, the key material exists unencrypted on disk and may be exposed to other local processes, backups, crash artifacts, or forensic recovery if permissions or cleanup fail.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The script exports retrieved invoice records, including customer identifiers and email addresses, to a local JSON file without any access-control safeguards, redaction, or warning. On shared systems or poorly secured environments, this can create unintended disclosure of personal and financial data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code writes the private key and certificate material to a temporary PEM file on disk before making the HTTPS request. Even though it is later deleted, the key exists in plaintext on the filesystem for some period of time and may be exposed through local compromise, backups, crash forensics, or permissive temp-directory access; because this is client-certificate authentication material, exposure can enable impersonation of the taxpayer/service account.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The full SOAP response is written to debug_cancelamento.xml without any opt-in or sanitization. Tax, invoice, error, or identifier data from municipal NFSe responses may contain sensitive business information, and persistent debug logs create an unnecessary disclosure surface for other local users, backups, or log collection systems.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The private key and certificate are written together to a disk-backed temporary PEM file, exposing sensitive key material to local disclosure if file permissions, backups, crash artifacts, or competing local processes are compromised. Even though the file is deleted in a finally block, there is still a window where the key exists on disk unencrypted.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Persisting the full municipal SOAP response locally without notice creates an unnecessary data exposure channel. The file may contain sensitive tax and customer information, and because the write is automatic and undocumented, operators may not realize regulated or confidential data is being stored on disk.

Ssd 3

High

Confidence: 97% confidence
Finding: The skill provides detailed natural-language instructions that guide the user to place the certificate password into a local .env file and then report completion in chat. While it avoids asking for the secret directly, it normalizes agent-mediated secret setup around highly sensitive certificate material and could condition users to follow risky secret-handling flows in an adversarial environment.

Ssd 3

Medium

Confidence: 86% confidence
Finding: The skill uses natural-language instructions to automatically send fiscal PDF links and reports by email, which operationalizes outbound sharing of sensitive records. Because the behavior is framed as mandatory and automatic, users may not realize sensitive data is being transmitted externally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal