Back to skill

Security audit

xero quickbooks invoicing payments uk b2b accounting freelance

Security checks across malware telemetry and agentic risk

Overview

This invoice-chasing skill has a coherent business purpose, but it asks for powerful accounting and email credentials and can automatically send sensitive payment-chasing messages to customers.

Review before installing. Use dedicated least-privilege accounts or a credential vault rather than pasting long-lived secrets into chat, keep approval required for all outbound messages, verify each recipient and amount before sending, and confirm your business is allowed to process and transmit customer invoice data through email and WhatsApp.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The skill contains contradictory safety rules around Stage 4 final-demand messages: one section says they must never be auto-sent, while the heartbeat logic implies automatic sending may occur when approvals are disabled. In a collections workflow, this inconsistency can cause an agent to send legally sensitive escalation notices without explicit owner review, increasing legal, reputational, and customer-harm risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide explicitly instructs users to paste highly sensitive secrets, including OAuth client secrets and later app passwords, directly into the bot. In an agent skill context, this is dangerous because credentials may be logged, retained in conversation history, exposed to operators, or reused beyond the user's intent, enabling compromise of accounting systems and email accounts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup normalizes automatic access to accounting and email data without clearly warning users that invoices, contacts, payment status, and mailbox credentials expose sensitive financial and personal information. In this context, lack of informed-consent and privacy disclosure increases the chance users grant broad access without understanding the data exposure and compliance implications.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrase "send all due" is generic enough that it could plausibly be invoked in normal conversation or collide with other automation patterns, especially in a multi-skill or chat-driven agent environment. In this skill, that phrase can initiate bulk outbound debt-chasing actions affecting real customers, so ambiguous activation raises the risk of unintended operational and reputational harm.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README describes transmission of invoice balances, debtor identities, contact details, and payment status through email, WhatsApp, and accounting integrations without any explicit privacy, retention, consent, or data-sharing warning. Because the skill handles financial and contact data and may send it over third-party channels, missing data-handling guidance increases the likelihood of improper use, non-compliant deployment, or accidental disclosure.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Several trigger phrases are broad enough to match ordinary finance queries such as 'who owes me money' or 'payment report', which can invoke sensitive billing workflows unexpectedly. In a skill that can send outbound reminders and update invoice state, accidental activation can expose customer data or initiate unwanted communications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill prominently enables automated email and WhatsApp chasing but does not place an equally prominent warning that it can contact external customers on the user's behalf. This increases the chance that a user enables the skill without understanding it can autonomously send business communications that may be legally or commercially sensitive.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.