Back to skill

Security audit

Pension

Security checks across malware telemetry and agentic risk

Overview

Pension is a local finance logger whose main risk is that the financial notes users enter are stored and exported as plaintext files on their own machine.

Install only if you are comfortable with finance notes being saved in plaintext under ~/.local/share/pension. Avoid entering account numbers, credentials, or highly sensitive tax details, and delete old logs or export files when you no longer need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly advertises automatic history and activity logging for personal finance usage, but does not warn users that sensitive financial data will be retained on disk. In a budgeting/pension context, logs may contain account balances, categories, trends, tax notes, and other private financial details that could be exposed to other local users, backups, or malware.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script stores sensitive personal finance inputs under a fixed local directory and then appends user-provided content to log files without any consent notice, retention control, or data minimization. In a finance tool, persisted plaintext records can expose spending, balances, tax notes, and other sensitive details to other local users, backups, malware, or accidental disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The export feature aggregates all logged finance history into shareable files on disk in JSON, CSV, or TXT formats with no warning, confirmation, or protection. This increases exposure because it creates a single easy-to-copy artifact containing the user's full financial history, which may then be synced, emailed, or accessed unintentionally.

Ssd 3

Medium
Confidence
97% confidence
Finding
The tool records raw user finance inputs in plaintext and re-displays them through history, status, recent, search, and export functionality, broadening the attack surface for sensitive data exposure. Because this is a personal finance skill, the context makes the issue more dangerous: even ordinary inputs may contain account balances, transactions, tax information, or other highly private details.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.