Back to skill

Security audit

Bank Recon Skill

Security checks across malware telemetry and agentic risk

Overview

This skill locally reconciles bank and ledger files into Excel workbooks, with sensitive-file handling that users should manage carefully but no evidence of hidden or malicious behavior.

Use this only with bank and ledger files you are comfortable processing locally. Choose output paths deliberately, remember that PDF inputs create an additional '_extracted.xlsx' file next to the PDF, avoid shared or synced folders if that is inappropriate, and delete generated workbooks when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill instructs creation of output workbooks and companion extracted files but does not require confirmation before writing or warn about overwrite behavior. In a financial workflow, this can lead to accidental overwriting of existing files, unintended data persistence beside sensitive source documents, or silent generation of derivative files containing confidential transaction data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill processes bank statements and ledger files, which commonly contain highly sensitive financial and personal information, yet provides no privacy or data-handling warning. This omission increases the risk that users provide regulated or confidential data without understanding retention, output-file creation, or exposure implications, especially when PDFs are converted into additional workbook artifacts.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script automatically writes extracted and reconciled XLSX files containing bank and GL financial data, including generating a sidecar extracted workbook next to the input PDF. In a financial-processing skill, silent persistence of sensitive data increases exposure risk through unintended local retention, syncing, backup, or later access by other users or processes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.