Back to skill

Security audit

Monarch Money

Security checks across malware telemetry and agentic risk

Overview

This looks like a real Monarch Money integration, but it needs Review because it can change financial data and handles login/MFA secrets with weak guardrails.

Install only if you are comfortable giving the skill access to sensitive Monarch Money credentials and allowing it to make financial-account changes. Prefer a dedicated account setup where possible, avoid command-line password or MFA-secret flags, keep debug logging off, review any write/delete action before it runs, and rotate credentials if logs may have captured secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly requires environment variables containing credentials and performs authenticated API access, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users or orchestrators may invoke a networked, credential-consuming skill without an accurate permission model, increasing the chance of unintended secret exposure or unsafe execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose frames the skill as transaction search/categorization and budget automation, but the underlying capabilities reportedly extend to destructive and high-impact operations such as creating/deleting transactions, mutating accounts, budgets, goals, and running E2E commands against real data. This mismatch is dangerous because users and supervising agents may grant trust or invoke the skill for read-only tasks while hidden write capabilities can alter sensitive financial records.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The CLI exposes destructive and state-changing capabilities (`create` and `delete`) that exceed the declared skill scope of transaction search/update. In an agent context, this expands the action surface beyond what users and policy may expect, increasing the risk of unauthorized financial record manipulation if the tool is invoked through ambiguous prompts or over-broad permissions.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The API exposes a deleteAllTransactionRules operation that can wipe all transaction rules in one call, a destructive administrative action with no evidence of additional authorization checks, confirmation flow, or scoping in this code path. In a financial automation context, removing all rules can silently disable categorization and transaction handling logic, causing broad integrity and operational impact.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This code implements a retry workflow around CAPTCHA challenges, explicitly waiting and retrying after anti-bot enforcement is encountered. In an authentication library, that increases risk because it operationalizes continued login attempts against a service's bot-detection controls and may facilitate abusive automation or account lockout pressure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code explicitly implements 'human-like behavior' through request jitter, burst shaping, and browser impersonation-oriented timing. In a budgeting client, this is suspicious because it is not needed for normal API consumption and can be used to evade bot detection or access controls enforced by the service provider.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The request headers intentionally masquerade as Monarch's web client by sending a browser User-Agent, web Origin, and custom platform/site identifiers. This can bypass service expectations, violate API usage boundaries, and increases the risk that the library is being used to access private functionality in a way users may not understand.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The guide instructs users to retrieve and store their Monarch MFA shared secret so the CLI can generate TOTP codes automatically. A TOTP seed is highly sensitive authentication material; if exposed through shell history, environment dumps, logs, or local compromise, it weakens MFA and can enable persistent bypass of the second factor alongside stolen credentials or session data. In a budget-management skill, handling user transactions is expected, but teaching users to extract and persist the MFA seed increases the attack surface beyond normal troubleshooting guidance.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to supply account email, password, and TOTP seed, and later notes that sessions are cached locally, but it does not prominently warn about the sensitivity of these secrets or the risks of storing an MFA secret and reusable session on disk. A leaked password plus TOTP seed can enable persistent account takeover, and local session files may be exfiltrated by other processes or users on the host.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The CLI accepts a password and MFA secret via command-line flags, which can expose sensitive credentials through shell history, process listings, audit logs, or CI job output. In a finance-related tool managing Monarch Money authentication, this increases the risk of account takeover if another local user, administrator, or logging system captures those arguments.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The bulkHideTransactions and bulkUnhideTransactions helpers perform state-changing bulk operations that alter transaction visibility without any built-in confirmation, safety interlock, or user disclosure in this path. In a budgeting tool, hiding transactions can materially affect reports and user decisions, making silent bulk changes a meaningful integrity risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The deleteAllTransactionRules method executes an irreversible, bulk-destructive action with no explicit warning, preview, or confirmation barrier in the implementation. In this skill context, transaction rules are part of financial automation behavior, so accidental or manipulated invocation could disrupt categorization and downstream budget workflows at scale.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The service persists an authentication token and associated session metadata locally via SessionStorage without any visible safeguards in this file, such as encryption, secure OS keychain usage, or explicit user opt-in beyond the default saveSession=true. If local storage is weak or accessible to other users/processes, token theft could enable unauthorized access to the user's financial data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The client logs GraphQL request bodies and full response bodies, which can contain transaction history, account data, emails, balances, and other financial PII. If debug logs are enabled in production or exported to centralized logging systems, sensitive user financial data may be exposed to operators, third parties, or attackers who obtain log access.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
Exposing direct GraphQL query and mutation access through a documented internal client increases the chance that downstream agents or integrators will perform broad, unsafe, or insufficiently reviewed account mutations. In a financial-management context, encouraging raw mutation access without guardrails or prominent warnings can lead to unintended alteration of account data, especially when used by automation or LLM-driven workflows.

Ssd 3

High
Confidence
99% confidence
Finding
The debug log serializes the raw login request body, which includes the user's password and, when present, the generated TOTP code. If debug logs are enabled, these secrets can be exposed to local logs, CI output, support bundles, or centralized log collectors, enabling account takeover and MFA bypass within the code validity window or through password reuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
cli/commands/test.ts:46

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
cli/commands/auth.ts:24

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
lib/client/MonarchClient.ts:124