Spend Pulse

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it says: connect to Plaid-backed financial data, store credentials in Keychain, and produce spending summaries and charts.

Install only if you are comfortable connecting financial accounts through Plaid and letting the skill process spending data locally. Treat generated charts and alerts as sensitive financial information, and share them only in private contexts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill handles highly sensitive financial data by syncing bank transactions through Plaid, but the user-facing workflow does not clearly warn that transaction data will be transmitted to Plaid and processed/stored locally. In a finance-oriented skill, omission of an explicit privacy notice increases the risk of uninformed consent and accidental exposure of sensitive spending data.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The instructions repeatedly say to always attach the generated spending chart, but do not warn that the image can reveal sensitive financial information such as monthly budget, total spend, pace, and timing. If an agent shares that chart into chats, notifications, or external systems, it can leak private financial data beyond the intended audience.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal