Back to skill

Security audit

Fintech Customer Support

Security checks across malware telemetry and agentic risk

Overview

This fintech support skill matches its support purpose, but it needs review because it can access, store, transmit, and change sensitive customer financial data with weak boundaries.

Review before installing. Use only in a controlled support environment with verified customer identity, least-privilege transfer API keys, approved webhook destinations, explicit disclosure for OpenAI processing, and a retention/deletion policy for local ticket memory. Add human confirmation or equivalent authorization before refund, recall, dispute, or other account-impacting actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Tainted flow: 'req' from os.environ.get (line 120, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urllib.request.urlopen(req, timeout=8) as resp:
            return resp.status < 300
    except urllib.error.URLError:
        return False
Confidence
73% confidence
Finding
with urllib.request.urlopen(req, timeout=8) as resp:

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill's public description focuses on customer support actions, but the body also directs persistent customer-memory storage, weekly operational reporting, and LLM-based message classification. In a fintech context, these undeclared behaviors materially change the privacy and data-handling risk because they expand retention, secondary processing, and sharing of customer data beyond what a user or operator may expect.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README states the skill works across whatever channels are connected, but it does not define clear trigger boundaries, authorization checks, or channel-specific safeguards. In a fintech support context, broad activation increases the chance the agent responds to unintended messages or performs sensitive support actions from untrusted channels without adequate verification.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README describes autonomous refund-related actions, dispute logging, and complaint escalation to a webhook, but it does not clearly warn operators that these are side-effecting operations. In a financial support workflow, undocumented autonomous actions can cause unauthorized recalls/disputes, customer harm, and leakage of complaint or account data to external systems.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger patterns are extremely broad, including essentially any support-like message in any language and generic terms like money, help, urgent, or problem. In a fintech support skill with API access and memory writes, over-triggering can cause the agent to process unrelated conversations as real support tickets, leading to unnecessary data lookups, retention, and possible disclosure in the wrong context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill mandates storing customer ID, issue type, resolution/escalation outcome, and timestamps after every interaction, but provides no notice, consent flow, retention limit, or access controls. In a fintech setting this is sensitive support metadata tied to financial accounts, and silent persistence increases privacy, compliance, and breach impact if memory is exposed or reused incorrectly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The refund handler performs recall and dispute actions that change transaction state based solely on invocation parameters, with no confirmation step, authorization check, or anti-abuse control visible in this file. In a fintech context, unauthorized or mistaken recalls/disputes can affect funds movement, create fraud risk, and trigger costly operational incidents.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The escalation handler transmits customer identifiers, prior issue history, and unbounded free-text summaries to an external webhook without consent signaling, destination validation, or data minimization. In a fintech support setting, that can expose sensitive customer or incident data to third parties and create compliance/privacy violations.

Missing User Warnings

Low
Confidence
86% confidence
Finding
Customer memory and ticket logs are persisted as plain JSON under the user's home directory with no access control, encryption, or retention handling shown. In a fintech support skill, local storage of customer support history can expose sensitive account, dispute, and KYC-related data to other local users, malware, or backups.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Customer support messages in a fintech context may contain sensitive financial, identity, or complaint information, and this code forwards the full raw message to an external LLM API. There is no evidence in the code of user disclosure, consent handling, redaction, or minimization before transmission, which creates privacy and compliance risk.

Ssd 3

Medium
Confidence
94% confidence
Finding
The complaint escalation flow instructs the agent to summarize everything known about the customer from memory and the current conversation, which encourages over-collection and over-sharing into escalation systems. In fintech support, prior memory may contain sensitive account, dispute, KYC, or behavioral details that are not necessary for the specific complaint, increasing internal data exposure and accidental disclosure through downstream tools like webhooks or ticketing systems.

Ssd 3

Medium
Confidence
91% confidence
Finding
The weekly digest includes raw customer identifiers in a plaintext report explicitly intended for onward sharing via support email. This unnecessarily broadens exposure of customer-linked case data and increases the chance of privacy leakage in email forwarding, screenshots, or distribution beyond need-to-know staff.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.