Billy

Security checks across malware telemetry and agentic risk

Overview

This Billy integration appears legitimate, but it gives an agent broad authenticated access to accounting data without clear safeguards for write or delete actions.

Install only if you are comfortable letting Membrane and your agent access Billy under the permissions you grant. Prefer read-only and pre-built actions, require explicit confirmation before creating, updating, exporting, or deleting records, avoid raw proxy requests unless necessary, and revoke the Membrane/Billy connection when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill description is broad enough that an agent could invoke it for vague requests involving Billy data without first confirming the user's exact intent or the safety of the requested operation. In a finance/accounting context, over-broad routing increases the chance of unintended access, modification, or disclosure of sensitive business records.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation explicitly enables direct proxy access to the Billy API but does not warn that these requests may create, modify, or delete accounting data. Because the skill targets business records and workflows, omission of a confirmation requirement makes destructive or irreversible actions more likely when an agent falls back to raw API calls.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal