Self-Improving Finance

Security checks across malware telemetry and agentic risk

Overview

This finance logging skill is mostly transparent, but its optional always-on hooks can run across prompts and sessions, so it needs review before installation.

Install only if you want persistent local finance reminders and learning logs. Prefer project-level setup, replace empty matchers with finance-specific patterns, avoid global user-level hooks, skip PostToolUse unless you need it, and review any changes to AGENTS.md, control matrices, payment workflows, or generated skills before relying on them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The skill expands from simple logging into updating operational artifacts such as AGENTS.md, checklists, control matrices, and other governing documents. That broader authority can indirectly alter agent behavior and business processes, creating integrity and governance risks if promoted content is wrong, manipulated, or insufficiently reviewed.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: Automatic skill extraction/generation goes beyond recording finance learnings and creates reusable agent artifacts from prior entries. Turning logged content into executable or influential skill material can propagate prompt-injected, incorrect, or unsafe instructions into future sessions if the source logs are not strictly validated.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The hook setup instructs the agent to inspect Bash tool output after use, which is much broader than needed for a finance logging assistant. Post-tool inspection can capture unrelated command output, including sensitive operational or financial data, and may create a covert monitoring surface across the workspace.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The document instructs users to install command hooks into AI coding agents, expanding the skill from finance issue capture into prompt-interception and automated command execution. That broader integration materially increases attack surface because every prompt or tool event can invoke local scripts with agent privileges, which is more powerful than the skill's stated business purpose requires.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The guide recommends user-level global activation, causing the skill's script to run across unrelated repositories and sessions. For a finance-focused skill, that scope is unjustified and risky because it can capture or influence prompts outside intended contexts and persist beyond the user's awareness.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The security section states the scripts 'only output text' and 'don't modify files or run commands,' but the documented mechanism explicitly runs shell commands via hook configuration. This contradiction can mislead users into granting trust they would not otherwise give, increasing the chance that command-executing hooks are installed without appropriate scrutiny.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: An empty matcher on UserPromptSubmit causes the hook to trigger on every prompt regardless of topic. This creates unnecessary broad interception of user activity, increases exposure of sensitive context, and makes it easier for the skill to influence sessions outside its intended finance scope.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The advanced setup repeats the same broad empty matcher for UserPromptSubmit, so the skill will activate globally even when users enable additional hooks. Combined with Bash post-processing, this materially increases the scope of monitoring and accidental data collection.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: An empty matcher on UserPromptSubmit causes the hook to fire on every prompt, regardless of whether the session is finance-related. This overly broad interception increases unnecessary exposure of prompt contents and maximizes opportunities for unintended influence or data handling by the script.

Vague Triggers

Medium

Confidence: 97% confidence
Finding: Global user-level activation combined with an empty matcher makes the hook run for essentially all prompts in all sessions for that user. This creates a persistent, cross-context interception mechanism that is especially dangerous because it affects unrelated workspaces and may expose sensitive non-finance content.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The Codex example also uses an empty matcher, so the hook activation scope is effectively unconstrained. In practice, this broadens invocation to all prompts in that environment, which is unnecessary for a finance-improvement skill and increases privacy and security risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal