Ledger

Security checks across malware telemetry and agentic risk

Overview

This is a local ledger helper that stores user-entered records on disk and can delete or export them, with no evidence of hidden access, network sharing, or credential use.

Install only if you want a simple local file-based ledger. Treat entries and exports as sensitive, protect ~/.ledger or set LEDGER_DIR to a controlled location, review exported files before sharing, and use remove carefully because it deletes the selected entry immediately.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The invocation language is broad enough that an agent may select this skill for loosely related finance tasks even though the documented functionality is limited and stateful. Over-broad routing increases the chance of inappropriate execution of commands that modify local files or expose stored data rather than merely performing calculations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The markdown documents remove and export capabilities without warning that they are destructive or can copy potentially sensitive financial data to external files. In an agent setting, lack of explicit warnings can lead to accidental deletion, unintended persistence, or disclosure of local financial records.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal