Back to skill

Security audit

phoenixclaw-ledger

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate local finance-tracking skill, but it passively records sensitive financial activity from conversations and payment screenshots with broad automation and limited consent controls.

Install only if you intentionally want passive financial tracking from conversations, memory, and payment screenshots. Before enabling it, confirm how to disable auto-recording, review or undo entries, delete stored receipts and reports, avoid synced or shared folders for the finance directory, and turn off cross-plugin insight sharing if you do not want spending correlated with mood, goals, or social data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file defines full financial goal creation, storage, automatic updates, and journal/report integrations, which goes beyond the manifest’s stated passive expense and income tracking behavior. This scope expansion is dangerous because it introduces new autonomous state management and decision-making features that users may not expect or consent to, increasing privacy and integrity risk around financial data.

Vague Triggers

High
Confidence
96% confidence
Finding
The skill is configured for passive invocation on broad signals like any mention of money/spending in any language and payment screenshots, which can cause automatic processing of highly sensitive financial data without a clear, narrowly scoped user action. In this context, the plugin also has access to moments, memory, and user_config and persists extracted data, so overbroad activation materially increases the chance of unintended collection and storage of private financial information.

Missing User Warnings

High
Confidence
98% confidence
Finding
The description promotes automatic extraction from conversations and payment screenshots but does not prominently warn users that sensitive financial data will be analyzed and stored persistently. Because the skill handles transaction amounts, merchants, timestamps, and screenshots, omission of an explicit warning undermines informed consent and can lead to silent collection of financial records.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow describes writing extracted transaction data to finance files and exporting finance sections into the journal without an explicit warning that these are persistent records. This is dangerous because users may assume transient analysis, while the skill actually creates long-lived, potentially discoverable financial history that can expand exposure if the journal or home directory is synced, shared, or compromised.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This template is explicitly designed to store and render payment screenshots, merchant names, timestamps, account/payment-method details, and partially masked financial identifiers, but it provides no privacy warning, retention guidance, access-control guidance, or minimization requirements. In the context of a finance-tracking skill that auto-detects data from screenshots and conversations, this increases the chance of exposing sensitive financial and personal data through note syncing, sharing, backups, or unauthorized local access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly describes automatic extraction of financial data from conversations and payment screenshots during scheduled processing, but it does not provide a clear privacy warning, consent requirement, or guidance on limiting collection. Because the data is highly sensitive financial information and processing is automated via cron, users may unknowingly enable ongoing surveillance and retention of private spending details.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The monthly and weekly report setup instructs the system to automatically generate and save financial reports to persistent local paths, but the setup lacks a prominent warning that sensitive reports will be stored on disk. This creates a confidentiality risk if the device is shared, backed up insecurely, indexed by other tools, or later accessed by unintended users or processes.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The 'Automatic' create path says goals are detected from conversation based on broad intent such as 'I want to save ¥10k for a bike,' without defining clear confirmation or disambiguation rules. In a financial assistant context, this can cause the system to misinterpret casual conversation as an instruction, leading to unauthorized creation of persistent financial goals and downstream automated updates.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document specifies storage in `~/PhoenixClaw/Finance/goals.yaml` and later describes automatic creation and updates, but it does not mention any user warning, consent, or approval before writing sensitive financial-planning data to disk. Silent persistence of financial goals increases the risk of privacy violations, inaccurate records, and unexpected modification of a user's local files.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly allows high-confidence payment screenshots to be auto-recorded into the user's ledger, but it does not require an explicit user confirmation or warning before creating financial records and storing receipt metadata. In a finance-tracking skill, silently modifying personal records based on OCR and image classification can lead to incorrect entries, privacy surprises, and unauthorized persistence of sensitive transaction data.

Session Persistence

Medium
Category
Rogue Agent
Content
3. **Extract Data**: Parse amount, merchant, category, timestamp
4. **Categorize**: Apply rules from `references/merchant-category-map.md`
5. **Deduplicate**: Prevent double-counting same transaction
6. **Store**: Write to `~/PhoenixClaw/Finance/ledger.yaml`
7. **Export**: Generate journal section using `assets/daily-finance-section.md`

## Explicit Triggers
Confidence
90% confidence
Finding
Write to `~/PhoenixClaw/Finance/ledger.yaml` 7. **Export**: Generate journal section using `assets/daily-finance-section.md` ## Explicit Triggers While passive by design, users can interact directly

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.