EnvelopeBudget

Security checks across malware telemetry and agentic risk

Overview

This is a real EnvelopeBudget API helper, but it needs review because it can read and change sensitive budget records with broad routing and limited documented safeguards.

Install only if you want an agent to access and manage your EnvelopeBudget account with your API key. Before allowing changes, require the agent to show the exact budget, account, envelope, payee or transaction IDs, amount, date, API method, and request body, then get explicit confirmation for any create, update, delete, transfer, reconcile, merge, archive, allocate, or bulk operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill description claims applicability to broadly phrased requests such as 'anything related to budgeting, expenses, or financial tracking,' which can cause the agent to invoke this skill for a wide range of finance-related prompts. Because the skill enables live reads and writes against a budgeting API, over-broad routing increases the chance of unintended access, disclosure of sensitive financial data, or accidental state-changing actions in the wrong context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal