Back to skill

Security audit

Vehicle Expense Tracker

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does vehicle expense tracking, but it needs Review because dry-run can still change config and photo storage paths are not safely contained.

Review before installing. Use a dedicated Google service account limited to the intended spreadsheet, keep local storage in a dedicated directory, avoid vehicle or category names containing slashes, absolute paths, or '..', and do not treat dry-run as fully no-write until the config-save behavior is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes file read/write behavior, including saving local Excel files and photos under user-configurable paths, but it does not declare corresponding permissions. Undeclared filesystem capabilities reduce transparency and can cause an agent or user to authorize a skill without understanding that it can persist data locally, overwrite files in chosen directories, or access user-supplied photo paths.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.