Accounting

Security checks across malware telemetry and agentic risk

Overview

This is a coherent offline accounting skill, but users should be careful with edit and delete commands because they affect local financial records.

Install only if you are comfortable storing income and expense history in a local JSON file. Keep the data directory private, maintain backups, and verify record IDs before using edit or delete commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill explicitly exposes update and delete operations against local accounting data but does not prominently warn users that natural-language requests could modify or permanently remove records. In an agent context, ambiguous prompts, prompt injection through surrounding conversation, or user misunderstanding could trigger destructive actions on sensitive financial records, causing data integrity loss even without internet access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal