Back to skill

Security audit

支出追踪器

Security checks across malware telemetry and agentic risk

Overview

This is a simple expense-tracking skill that stores budget and spending records locally, which fits its stated purpose but may include sensitive personal financial details.

Before installing, consider that spending history and budget settings may be saved in local JSON files. Use it only for financial details you are comfortable storing on this device, especially on shared systems, and review or delete those files when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill states that expense and budget data will be stored in local files, but it does not clearly warn users that potentially sensitive financial information is being persisted. This can lead to unintended retention or exposure of personal spending data, especially on shared devices or environments where local files are accessible to other users or tools.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.