Qb Cli

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real QuickBooks CLI, but its login flow uses an undocumented external ngrok callback and it can change financial records with limited safeguards.

Do not authenticate this skill with a production QuickBooks company unless the OAuth redirect is changed to a user-controlled localhost or documented callback, the install source is pinned, and destructive operations are gated by explicit confirmation. If testing, use a sandbox company first and review any create, delete, void, import, send, preference, or batch command before it runs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (18)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill exposes broad capabilities including shell execution, network access, environment-variable use, and file read/write, but it does not declare permissions or safety boundaries. In an agent setting, this can cause the runtime to grant more trust than warranted, increasing the chance of unauthorized API actions, local file access, or secret handling without user awareness.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The declared description frames the skill as a QuickBooks management/reporting CLI, but the actual behavior includes additional high-impact functions such as bank imports that create transactions, batch execution, attachment upload, reconciliation state handling, and company preference updates. This mismatch can mislead users or agents into invoking riskier operations than expected, especially in financial systems where writes have accounting and audit consequences.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The bank import section describes matching behavior, but the workflow examples do not prominently warn that unmatched transactions will be created in QuickBooks when the non-dry-run command is executed. In bookkeeping software, this can lead to accidental ledger changes, duplicate entries, or incorrect financial records if an agent or user assumes the command is only analyzing or matching.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation includes many delete and void examples across invoices, payments, bills, deposits, attachments, and other entities without consistent warnings about permanence, audit impact, or accounting side effects. In a financial system, casual examples of destructive commands can normalize unsafe execution and increase the likelihood of irreversible data loss or materially altered records.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script sources a local .env file as shell code and then invokes Docker commands with those exported values, but gives the user no visibility that secrets may be loaded and passed into a containerized process. More importantly, source executes arbitrary shell syntax from .env, so a modified .env can run commands in the host shell before Docker is even invoked.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The delete command performs an irreversible financial record deletion with no interactive confirmation, dry-run mode, or explicit force flag. In an agent-consumable CLI that manages live QuickBooks data, this increases the chance of accidental or automated destructive actions from user error, prompt injection, or incorrect agent planning.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The delete command issues a destructive remote API call immediately after fetching the current object, with no confirmation prompt, dry-run mode, or force flag gating. In an agent-consumable CLI that manages live accounting data, accidental invocation, parameter mix-ups, or unsafe automation can permanently remove records and create audit/integrity issues.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The void command performs a state-changing remote operation that zeroes amounts and alters accounting state without any user-facing warning or confirmation. In a financial CLI intended for automation, this increases the risk of unintended voids from operator error, script bugs, or prompt/agent misuse, potentially impacting books and downstream reconciliation.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The command collects a QuickBooks client ID and client secret, places them into a config object, and persists them to disk via save_config without any visible warning or indication of how the file is protected. In a CLI used by agents, storing API secrets locally increases exposure through weak file permissions, backups, shared workspaces, or accidental disclosure, especially because these credentials enable access to financial APIs.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The delete command performs a real remote deletion against the QuickBooks API immediately after fetching the record, with no confirmation prompt, dry-run mode, or safety interlock. In an agent-consumable CLI that exposes accounting operations, a mistaken invocation, prompt injection into upstream agent logic, or misuse of a deposit ID can cause irreversible financial data loss or operational disruption.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The bank import command can create Purchase and Deposit transactions directly from a local statement file whenever --dry-run is not set, without a clear execution-time confirmation or destructive-action warning. In an agent context, this increases the risk of unintended bookkeeping changes, duplicate financial records, and silent data integrity corruption if the tool is invoked on untrusted or misparsed input.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The delete command issues a real remote deletion against the QuickBooks API immediately after fetching the current object, with no confirmation prompt, dry-run mode, or force flag gating the action. In an agent-consumable CLI that manages financial records, this increases the risk of accidental or automated destructive actions from prompt mistakes, parameter confusion, or unsafe tool chaining.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The delete and void commands perform irreversible or business-sensitive state changes immediately after receiving an ID, with no confirmation prompt, dry-run mode, or explicit force flag. In an agent-consumable CLI that manages financial records, this increases the risk of accidental destructive actions from operator error, prompt injection in higher-level agents, or mistaken automation inputs.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The delete command performs an irreversible vendor credit deletion immediately after fetching the current object, with no confirmation prompt, dry-run mode, or safety flag. In a financial CLI used by agents or automation, a mistaken ID, prompt-injection-driven tool invocation, or scripting error can cause unintended deletion of accounting records, creating operational and audit risks.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The 1099 workflow writes vendor identifiers, contact email, tax-ID presence status, and payment totals to a persistent CSV in /workspace without clearly disclosing that side effect in the command help or docstring. In an agent setting, silent local export of financial/vendor data increases the chance of unintended retention, later exfiltration by other tools, or disclosure across tasks sharing the same workspace.

Credential Access

High

Category: Privilege Escalation
Content: SKILL_DIR="$(cd "$(dirname "$0")" && pwd)" # Load .env if it exists if [ -f "$SKILL_DIR/.env" ]; then set -a source "$SKILL_DIR/.env"
Confidence: 98% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: SKILL_DIR="$(cd "$(dirname "$0")" && pwd)" # Load .env if it exists if [ -f "$SKILL_DIR/.env" ]; then set -a source "$SKILL_DIR/.env" set +a
Confidence: 97% confidence
Finding: .env"

Credential Access

High

Category: Privilege Escalation
Content: # Load .env if it exists if [ -f "$SKILL_DIR/.env" ]; then set -a source "$SKILL_DIR/.env" set +a fi
Confidence: 99% confidence
Finding: .env"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal