invoice-extractor-from-mail

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent invoice-processing purpose, but it asks for sensitive mailbox and business credentials and includes unsafe automatic remote installer execution.

Review carefully before installing. Use a dedicated test mailbox or narrow folder, apply sender/date/type limits, export to local Excel first, and avoid business-system API push until mappings are verified. Do not run the remote installer commands blindly; install only from a trusted, pinned source after review, and store all mailbox, ADP, cloud, and ERP credentials in a proper secret manager with least-privilege scopes and a revocation plan.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (13)

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The skill explicitly instructs fetching and executing remote installation scripts via shell/PowerShell, which creates an unnecessary software-installation and code-execution capability inside a document-processing workflow. If the remote source, transport, or repository is compromised, users may execute arbitrary code on their machines.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README promotes automatic mailbox access and attachment retrieval but does not clearly warn users that the skill may ingest large volumes of potentially sensitive email content and documents. In a finance/AP context, this increases the chance of over-collection of invoices, PII, banking details, and confidential business records without informed user consent or proper scoping.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation instructs users to supply sensitive credentials such as app passwords, OAuth client secrets, tenant IDs, and API keys, but provides no explicit secret-handling guidance or warning not to paste them into insecure channels, logs, prompts, or shared configs. Because this skill processes enterprise mailboxes and finance data, poor credential hygiene could enable mailbox compromise, unauthorized API access, or downstream exfiltration of invoices and related records.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README promotes automatic mailbox access and attachment retrieval for invoices but does not clearly warn users that this involves access to privacy-sensitive email content and potentially broad mailbox data. In a finance/AP context, emails and attachments commonly contain invoices, supplier details, payment data, and other confidential records, so normalizing this behavior without explicit privacy/security guidance increases risk of over-collection and misuse.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README enumerates sensitive credential types including app passwords, authorization codes, client secrets, tenant IDs, app secrets, and API keys, but does not pair this with explicit guidance to protect them as secrets. In a skill centered on mailbox and document-system integration, leaked credentials could enable unauthorized mailbox access, API abuse, invoice exfiltration, or persistence in connected business systems.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The skill allows user-specified mail services, protocols, and arbitrary connection parameters with minimal scope restriction. In context, this broad connectivity increases the chance of overbroad credential collection, misuse against unintended mail systems, or connections to untrusted endpoints.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill performs recursive local scanning and automatic mailbox retrieval, both of which can access large amounts of sensitive data with little up-front warning. In a finance/invoice context, that data likely contains confidential business records, making unintended over-collection more harmful.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The documentation includes automatic execution of remote installation scripts without any meaningful safety warning, review step, or verification guidance. This directly exposes users to arbitrary code execution risk from a third-party hosted script, which is especially dangerous because the skill later says missing CLI should trigger automatic installation.

Natural-Language Policy Violations

Low

Confidence: 72% confidence
Finding: Automatically selecting a region-based API endpoint affects where documents and metadata are sent, which has privacy, residency, and compliance implications. In an invoice-processing skill handling potentially regulated financial documents, endpoint choice should be explicit rather than silently inferred.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: - Supports user uploading a single file or specifying a local folder - Supported formats: .jpeg, .jpg, .png, .bmp, .tiff, .pdf, .doc, .docx, .xls, .xlsx - Supported size: 50 MB (if file > 20 MB, the ADP async interface is recommended) - Folder mode automatically performs recursive scanning, filtering by file extension - Batch processing supports concurrency, with a default concurrency of 2 (ADP free users will automatically be limited to 1 concurrent process) **Branch B -- Email Attachments:**
Confidence: 75% confidence
Finding: automatically perform

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: |---|---| | Email connection failure | Terminate immediately, prompt to check connection parameters | | Single file download/read failure | Skip, log to `failed.log`, continue processing the next file | | ADP CLI not installed | Automatically execute the installation script | | ADP credentials not configured / authentication failure | Terminate immediately, guide the user to execute `adp config set --api-key <KEY>` | | ADP extraction failure (corrupted file / blank page, etc.) | Do not retry, log to `failed.log` | | ADP async task timeout | Exponential backoff polling with `adp extract query <task_id>`, up to 3 retries |
Confidence: 97% confidence
Finding: Automatically execute

External Script Fetching

Low

Category: Supply Chain
Content: npm install -g @laiye-adp/agentic-doc-parse-and-extract-cli # Linux / macOS curl -fsSL https://raw.githubusercontent.com/laiye-ai/adp-cli/main/scripts/adp-init.sh | bash # Windows (PowerShell) irm https://raw.githubusercontent.com/laiye-ai/adp-cli/main/scripts/adp-init.ps1 | iex
Confidence: 98% confidence
Finding: curl -fsSL https://raw.githubusercontent.com/laiye-ai/adp-cli/main/scripts/adp-init.sh | bash

Chaining Abuse

High

Category: Tool Misuse
Content: npm install -g @laiye-adp/agentic-doc-parse-and-extract-cli # Linux / macOS curl -fsSL https://raw.githubusercontent.com/laiye-ai/adp-cli/main/scripts/adp-init.sh | bash # Windows (PowerShell) irm https://raw.githubusercontent.com/laiye-ai/adp-cli/main/scripts/adp-init.ps1 | iex
Confidence: 99% confidence
Finding: | bash

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal