Back to skill

Security audit

Tax Receipt Compliance

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for invoice OCR and reimbursement workflows, but it needs Review because it handles sensitive financial data, credentials, external endpoints, and system installation with some overstatement and under-scoped safeguards.

Review before installing in a finance environment. Run installer scripts manually, verify any downloaded Windows installer independently, prefer a virtual environment for Python packages, store outputs in restricted directories, and delete OCR JSON or cache files when no longer needed. Treat tax verification results as link/manual or third-party results unless the configured provider truly returns an authoritative response, and require human confirmation before any approval workflow or custom endpoint sends invoice data outside the machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The module documentation claims it performs real automatic invoice verification against the official tax bureau platform, but the implementation only constructs and returns a URL for manual user follow-up. This is a security-relevant integrity issue because downstream agents or users may treat the result as authoritative verification and make trust or payment decisions based on a non-existent check.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The class-level description advertises automatic verification on the official platform, but the verify() method never submits a verification request and never validates any response. In an agent skill context, this mismatch is dangerous because other components may rely on the 'ready' result as if invoice authenticity was actually checked.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes broad, natural phrases such as '发起审批' and '报销审批' that could be uttered in ordinary discussion, increasing the chance of unintended activation. In this skill, accidental activation is more sensitive because the skill can process financial documents and potentially initiate approval workflows tied to external systems.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly describes generating filled Excel files and persisting learned mappings in `template_cache.yaml`, but it does not clearly warn the user that local files will be created and retained. This can cause unintended data persistence of potentially sensitive invoice and reimbursement information, increasing privacy and compliance risk.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The guide instructs users to write OCR output and batch results to /tmp and other filesystem locations without explicitly warning that invoice images and extracted JSON may contain sensitive financial and personal data. On multi-user systems or poorly configured environments, temporary files and logs can be exposed to unauthorized users, leading to data leakage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script downloads an executable installer from a third-party mirror (Gitee) and immediately launches it with Start-Process, without any integrity verification such as a pinned checksum, signature validation, or trusted publisher check. If the mirror, release asset, DNS, or transport path is compromised, users could execute arbitrary code on their system during installation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script makes system-level package changes via package managers and modifies the Python environment with pip, but it does so immediately when run and without any explicit confirmation or dry-run step. In an agent-skill context, this is risky because executing the installer can alter the host system, trigger privilege elevation prompts, and install unpinned Python packages from remote registries without giving the user a clear chance to approve the changes.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script writes OCR output, including invoice fields and raw extracted text, to a user-specified JSON file without any warning that sensitive financial and business data will persist on disk. In the context of invoice processing, this can expose personal, tax, and commercial information to other local users, backups, sync tools, or logs if operators are unaware of the persistence.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The custom verification path sends invoice metadata to an arbitrary configured endpoint without any runtime disclosure, confirmation, or allowlist checks. In a skill context, this can silently exfiltrate potentially sensitive business or tax data to unintended destinations if the configuration is malicious, mistaken, or compromised.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# Linux
        if command -v apt-get &>/dev/null; then
            # Debian/Ubuntu
            sudo apt-get update
            sudo apt-get install -y tesseract-ocr tesseract-ocr-chi-sim tesseract-ocr-eng
        elif command -v yum &>/dev/null; then
            # CentOS/RHEL
Confidence
96% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
if command -v apt-get &>/dev/null; then
            # Debian/Ubuntu
            sudo apt-get update
            sudo apt-get install -y tesseract-ocr tesseract-ocr-chi-sim tesseract-ocr-eng
        elif command -v yum &>/dev/null; then
            # CentOS/RHEL
            sudo yum install -y tesseract tesseract-langpack-chi_sim
Confidence
97% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
sudo apt-get install -y tesseract-ocr tesseract-ocr-chi-sim tesseract-ocr-eng
        elif command -v yum &>/dev/null; then
            # CentOS/RHEL
            sudo yum install -y tesseract tesseract-langpack-chi_sim
        elif command -v dnf &>/dev/null; then
            # Fedora
            sudo dnf install -y tesseract tesseract-langpack-chi_sim
Confidence
96% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
sudo yum install -y tesseract tesseract-langpack-chi_sim
        elif command -v dnf &>/dev/null; then
            # Fedora
            sudo dnf install -y tesseract tesseract-langpack-chi_sim
        else
            echo "无法检测包管理器,请手动安装Tesseract"
            echo "参考: https://github.com/UB-Mannheim/tesseract/wiki"
Confidence
96% confidence
Finding
sudo

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/setup-guide.md:77

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:471

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
templates/config_template.yaml:17