Payroll Oracle

Security checks across malware telemetry and agentic risk

Overview

This payroll skill appears to handle real USDC settlement but its audit checks reportedly always pass, so it could approve payments for unverified work.

Do not use this for real payroll unless the audit checks are implemented to fail closed, live settlement is clearly disclosed, and every payment requires explicit confirmation of recipient, amount, network, fees, and evidence reviewed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The file claims to audit GitHub PRs and Linear tasks before enabling payout, but both verification paths are stubs that always return success. In the context of payroll and USDC settlement, this creates a direct authorization bypass: arbitrary or incomplete work can be marked as approved and passed to downstream payment logic.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The docstrings and printed status messages imply real security-relevant validation, but the functions unconditionally return True. This is dangerous because operators or downstream automation may trust the audit result and release funds based on a false assurance, especially given the skill's stated purpose of settling payments after audit.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The activation criteria include broad business phrases like 'pay the team' and 'settle invoices,' which can match ordinary conversational requests and cause the skill to engage in a payment workflow unexpectedly. In a skill that can trigger real USDC settlement, overly loose invocation language materially raises the risk of accidental activation, social engineering, or context-confused payment execution.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill description does not prominently warn that it can initiate real USDC payments on base-mainnet, even though the metadata and instructions indicate live settlement behavior. This omission is especially dangerous because users or orchestrators may treat it as a simple audit tool, when in reality it can cause irreversible on-chain value transfer and protocol-fee diversion.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal