Back to skill

Security audit

Finance Accounting

Security checks across malware telemetry and agentic risk

Overview

This is a local finance tool, but it handles sensitive financial records while overstating security and accounting accuracy.

Review carefully before using with real financial records. Treat the tool as a basic local prototype, not a production accounting system: verify formulas manually, keep generated files out of public repos and shared folders, add your own encryption and access controls, and do not enable scheduled automation or external integrations until credentials, data flow, retention, and approvals are clearly controlled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code labels a report as a balance sheet but computes assets from all income and liabilities from all expenses, which is materially incorrect accounting logic. In a finance/accounting skill, this can mislead users into making compliance, reporting, or business decisions based on false financial statements, so the mismatch is a genuine integrity/security issue rather than a harmless documentation bug.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README encourages importing bank statements and integrating with bank APIs/payment systems, which inherently involves highly sensitive financial data, but it does not give clear operational warnings about data sensitivity, transmission risks, credential handling, or third-party exposure. In a finance/accounting skill, this omission increases the chance that users will connect real accounts or process production financial data without appropriate safeguards.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README promotes exporting Excel, JSON, and PDF financial reports without prominently warning that these artifacts may contain confidential financial, tax, and personally identifiable information. In a financial context, exported files are easy to copy, email, sync, or commit to repositories, so missing guidance materially raises the risk of data leakage.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises bank API access, tax-system integration, proactive scheduled execution, and version control of financial data without clear warnings about data transmission, credential handling, retention, or third-party disclosure. In a finance/accounting context, this is especially dangerous because the data involved can include bank transactions, tax filings, invoices, and other highly sensitive records whose silent export or syncing could cause serious privacy, regulatory, and business harm.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.