Back to skill

Security audit

Intelligent Budget Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a coherent budget-tracking skill, but it handles sensitive financial data and users should verify the external npm package before use.

Before installing, verify the npm package publisher and version, and treat the saved data as sensitive financial information. Use a private storage path with appropriate filesystem permissions, protect exports and backups, and avoid entering account numbers, credentials, or unnecessary identifiers. Keep explicit control over when the agent adds transactions, processes recurring entries, generates AI insights, exports data, or creates backups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly documents persistent local storage paths for financial records but provides no warning that the stored data is sensitive, may contain detailed spending/income history, and should be protected with appropriate filesystem permissions or encryption. In the context of a money-tracking library for agents, this increases the risk of unintentional exposure of highly personal financial data through backups, shared machines, insecure directories, or careless deployment defaults.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation advertises AI-powered insight generation over users' financial records without clarifying whether data is processed locally or sent to an external model/provider, creating a meaningful privacy risk. Because financial histories can reveal income, habits, subscriptions, health-related spending, and location patterns, users and agent operators may unknowingly disclose sensitive data to third parties.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.