Vehicle Expense Tracker

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it needs review because some local and spreadsheet writes are under-scoped and its dry-run can still change configuration.

Review before installing. Use a dedicated Google service account limited to the intended spreadsheet, avoid vehicle or category names containing slashes, absolute paths, or '..', and do not rely on dry-run as no-write until the config-save behavior is fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation describes file read/write behavior, including saving photos, writing local Excel files, and using a local config file, but no permissions are declared. Undeclared filesystem access weakens review and consent boundaries because users or platforms may not realize the skill can persist or modify local data under home-directory paths.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal