Security audit

Payments & Banking

Security checks across malware telemetry and agentic risk

Overview

This appears to be a payment/finance skill with powerful money-moving actions, but the artifacts do not show a clear confirmation step before irreversible actions.

Review before installing. Only use this with accounts you control, require the agent to restate amount, currency, recipient, destination, fees, and action type before any transfer, conversion, top-up, remittance, or recipient deletion, and confirm in the payment provider UI where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill exposes high-impact financial actions such as transfers, remittances, conversions, and recipient deletion, but it does not require an explicit user-facing warning or reconfirmation before those actions are undertaken. In a payments context, ambiguous or overly eager agent behavior can cause irreversible financial loss, especially because several listed operations move funds or alter payout destinations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.