Back to skill

Security audit

Receipt Compliance

Security checks across malware telemetry and agentic risk

Overview

This accounting skill is mostly purpose-aligned, but it handles sensitive invoice data and can submit external approval workflows while its documentation overstates local-only processing.

Install only after reviewing it with the finance or IT owner. Keep approval integration disabled unless needed, require explicit human confirmation before browser opening or approval submission, store outputs in restricted directories instead of shared temp paths, protect config files containing API credentials, and treat generated JSON/XLSX files as confidential financial records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises substantial capabilities including local file read/write, network access, and shell execution, but does not declare permissions. This creates a transparency and consent gap: users or hosting platforms may not realize the skill can install software, open browsers, call remote APIs, and manipulate local files. In a finance-oriented skill handling invoices and reimbursement data, undeclared capabilities increase the risk of unintended data exposure or unsafe execution paths.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The description emphasizes local processing and enterprise-controlled configuration, but the documented behavior includes external API submission, opening online tax-verification pages, custom remote endpoints, and dependency installation. That mismatch can mislead users into believing all processing stays local when approval submission and verification may transmit sensitive invoice or employee reimbursement data to third parties. In a compliance/accounting workflow, this is particularly risky because financial records, identifiers, and approval metadata may leave the local environment unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script invokes external package managers and directs users to download/install software from the network, which expands the trust boundary beyond purely local data processing. In this skill context, that is risky because installation-time dependency retrieval can introduce supply-chain exposure and contradicts the product description that suggests local-only handling.

Intent-Code Divergence

Medium
Confidence
79% confidence
Finding
The download helper advertises SHA256 integrity verification as a security measure, but the actual installation flow shown in this script does not appear to call that function with an expected hash for any artifact. This can create a false sense of security and leave future or implied download paths vulnerable to tampering or substitution if the function is later used without enforced hash validation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The engine accepts a user-supplied tesseract_cmd and assigns it directly to pytesseract.pytesseract.tesseract_cmd, which causes the program to launch whatever executable path is provided. Even though the manifest describes local processing, this still exposes arbitrary process execution under the privileges of the tool, so a caller can run a different binary than the expected OCR engine.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The --tesseract argument and OCREngine constructor together allow an arbitrary external executable to be invoked through pytesseract. In an agent/skill context, that is effectively command execution capability: an attacker who can influence this parameter can cause the skill to run another program locally, which can lead to data access, persistence, or execution of unintended code.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The header claims a local OCR-only solution, but the implementation later permits arbitrary executable substitution for the OCR backend. The discrepancy is dangerous because operators may trust the skill as confined to local document processing while it actually contains a broader execution surface, increasing the chance of unsafe deployment or over-privileged use.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
This skill can trigger local browser and OS-level application opening from invoice-processing logic, which expands capability beyond passive data verification. In an agent or automation context, that can cause unintended external navigation, data disclosure to a remote site, or abuse of host-side side effects if invoked without clear user consent.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The natural-language trigger examples are broad and map common phrases directly to meaningful actions like scanning folders, generating files, and submitting approvals. Without a narrowly defined invocation scheme, ordinary conversation could activate file processing or workflow actions unintentionally. In this skill's context, that could cause bulk access to local invoice directories or preparation of approval artifacts without deliberate user intent.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The statement that the AI will 'automatically recognize intent and execute corresponding actions' is ambiguous and lacks safety boundaries. This is dangerous because it suggests action-taking without clarifying when the system asks for confirmation, which is especially problematic for opening links, processing folders, writing reports, or sending approval requests. In a financial skill, accidental execution can affect sensitive documents and enterprise approval workflows.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This example processes invoice images and emits structured fields containing sensitive business and personal data, including company names, invoice identifiers, amounts, and timestamps, but provides no warning about confidentiality, retention, access control, or handling requirements. In an accounting/approval workflow, such omissions can lead users to store, share, or transmit regulated financial data insecurely, increasing privacy and fraud risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide instructs users to write OCR and batch processing results to /tmp, which is commonly a shared or weakly controlled temporary directory on multi-user systems. Because invoice OCR outputs can contain sensitive financial and personal data, storing them there without an explicit warning or secure handling guidance increases the risk of unintended disclosure through local access, backups, crash dumps, or leftover files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script serializes and writes detailed invoice-processing output, including failed file paths and parsed invoice data, to a JSON file on disk without any minimization, protection, or user warning. In an accounting context this data can contain sensitive financial and personal information, so unprotected local persistence increases the risk of privacy leakage, unauthorized access, and accidental retention.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script writes invoice verification results, including invoice identifiers, date, amount, and timestamps, to any user-specified path without warning, minimization, or permission checks. In enterprise accounting contexts this can persist sensitive financial data to insecure locations, increasing the risk of unauthorized disclosure or retention beyond policy.

External Transmission

Medium
Category
Data Exfiltration
Content
self._token_expire = 0
        self._max_retries = 3
        self._retry_delay = 2  # 秒
        self._submit_url = "https://api.dingtalk.com/v1.0/process/instance"

    def submit_approval(self, expense_file, applicant_user_id=None, **kwargs):
        """
Confidence
78% confidence
Finding
https://api.dingtalk.com/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/setup-guide.md:77

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:750

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
templates/config_template.yaml:17