Back to skill

Security audit

Cashflow

Security checks across malware telemetry and agentic risk

Overview

CashFlow appears local-only, but it can retain sensitive finance records even after reporting that an entry was removed.

Review before installing if you may enter sensitive financial details. This tool stores records and command history locally in plaintext, and its remove command does not actually delete saved entries; you may need to manually inspect or delete data.log and history.log to clear stored data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The manifest frames the skill as a finance tool, but the body describes a generic data-entry utility for arbitrary notes and tasks. In an agent ecosystem, this kind of scope drift is risky because tool selection and user trust often depend on metadata, so misleading scope can cause inappropriate invocation and unsafe handling of sensitive data.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documented command surface expands beyond cash-flow tracking into generic operations such as run, config, status, init, and info, plus arbitrary text logging. That increases the chance an agent or user grants the tool broader trust than warranted, especially because 'run' is underspecified and the skill appears to support workflows outside its declared financial purpose.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The usage guidance explicitly says the tool can log tasks and notes, which broadens the skill beyond its declared personal-finance role. While not directly exploitable code, this misrepresentation can cause data-classification mistakes and lead users to store unrelated or sensitive information under incorrect assumptions about the tool's purpose and safeguards.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill does not prominently warn that it creates and modifies local files and always records command activity in a history log. For a finance-themed tool, undisclosed persistent logging is particularly sensitive because commands and entries may contain personal financial details, and users may not realize that attempted deletions do not erase prior history.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The logging helper writes command names and user-provided arguments to a persistent history file without clear disclosure. In a personal finance context, those arguments may contain sensitive financial details, causing inadvertent local data retention and privacy exposure to other local users, backups, or support bundles.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The add command persists arbitrary user input directly into the local database file with no warning, confirmation, or data-handling notice. Because the skill is marketed for cash-flow tracking, users are likely to enter sensitive financial information, making undisclosed persistence more dangerous and increasing privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.