Security audit

Compliance Guardian

Security checks across malware telemetry and agentic risk

Overview

This is a local FinCEN compliance helper whose sensitive-data handling is purpose-aligned, but users need to be careful with clipboard export and browser-saved tracker records.

Install only if you are comfortable handling FinCEN-related personal and transaction data in a local browser tool. Use it on a trusted device and browser profile, avoid shared machines, remember that Copy to Clipboard may place DOBs and TIN/SSN-like values where other apps or clipboard history can see them, and clear browser storage or avoid tracker entries when records should not persist.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The UI tells users that filing data is stored only in the browser, but the pre-fill feature also copies the generated report to the system clipboard. Because the report includes highly sensitive personal and tax-identification data, this is a privacy-impacting mismatch that can lead to unintentional disclosure to other apps, remote desktops, clipboard history, or later paste actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly collects highly sensitive personal data, including beneficial owner names, dates of birth, addresses, citizenship, and TINs, and states that the data is stored in browser localStorage. localStorage is not appropriate for regulated or identity-sensitive data because it is persistent, accessible to any script running in the origin, and exposed to anyone with access to the device or browser profile. In this compliance context, the combination of PII collection and casual local storage materially increases the risk of identity theft, unauthorized disclosure, and regulatory/privacy violations.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This function assembles names, addresses, dates of birth, and TIN/SSN-like values into a single report and writes it to the system clipboard with only a generic success alert. Clipboard contents are accessible outside the page context through user paste actions, clipboard managers, OS history, and some enterprise monitoring tools, so silently copying this level of PII is risky.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The tracker persists filing-related data in localStorage without an explicit warning at the moment of storage or controls for retention and deletion. In a compliance tool handling real-estate and beneficial ownership information, persistent browser storage increases exposure to other users of the device, browser compromise, shared profiles, and stale sensitive records remaining indefinitely.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.