银行对账单处理和转换(Bank statement processing and conversion)

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for bank statement conversion, but it automatically downloads unverified spreadsheet templates from the internet while handling sensitive financial files.

Review before installing. This skill is not showing exfiltration or destructive behavior, but it processes bank statements and may automatically download spreadsheet templates from a third-party object-storage host without checksum or signature verification. Prefer using pre-vetted local templates, running it in a controlled environment, and avoiding cloud OCR backends unless you have explicitly approved that data transfer.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill handles highly sensitive financial documents locally, but the documented template fallback introduces outbound network access and local file writes that are not essential to statement parsing itself. If the download source is compromised, spoofed, or insufficiently verified, an attacker could supply malicious or tampered templates or use the feature to exfiltrate environment/network metadata in a context involving bank data.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The extension guidance explicitly contemplates cloud OCR backends, which can transmit bank statement contents to third-party services. In this skill context, OCR input may contain account numbers, names, balances, and transaction details, so external processing materially increases confidentiality and compliance risk.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The file explicitly documents and implements a fallback that resolves the template locally and otherwise automatically downloads it from an internet source via template management. Pulling executable workflow inputs from the network without visible integrity verification, origin pinning, or explicit user consent creates a supply-chain risk: a tampered template could inject malicious content, unexpected formulas/macros, or poison downstream processing.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The module-level design explicitly allows automatic template download from the internet as a fallback for what is otherwise a local file-mapping utility. This expands the attack surface by introducing external content retrieval and trust in remote template sources, which can enable supply-chain abuse, unexpected data egress, or processing of attacker-controlled files if the remote source or resolution path is compromised.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The default template resolver delegates to a template manager that may perform remote retrieval without any visible user consent or security validation in this mapper. In the context of a bank statement conversion component, hidden network access is more dangerous because it is unexpected for an offline transformation workflow and may pull in untrusted external artifacts used in downstream file generation.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The file-level documentation explicitly states that if a local template is not found, the code may automatically download the template from the internet. In a data-mapping skill whose primary purpose is local transformation of bank statement data, this introduces network access and remote content retrieval without clear trust boundaries, integrity verification, or user consent, creating supply-chain and data-handling risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation describes automatic network access and writing downloaded templates to local storage without prominent warning or consent flow. In a financial-data processing skill, hidden or under-disclosed network and filesystem behavior undermines user expectations and can lead to silent retrieval of untrusted content or policy violations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The module automatically downloads remote template files and writes them into the local skill directory when a file is missing, without explicit user confirmation, integrity verification, or trust validation of the downloaded content. In this skill context, the downloaded files are office spreadsheet templates from hardcoded external URLs; that creates a supply-chain risk because a compromised hosting endpoint or replaced file could deliver malicious or unexpected content that downstream users may open or process.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The module advertises a fallback that may automatically download a missing template from the internet via delegated template resolution, yet there is no visible consent, warning, or trust control in this call path. Silent network retrieval of a document template increases supply-chain and integrity risk, especially if the downloaded file is later consumed by spreadsheet tooling or other parsers.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The code comments describe an automatic remote-download behavior, and the implementation delegates template resolution to a helper without any disclosure or warning in this mapper when network access may occur. Hidden network retrieval reduces transparency and can lead operators to process sensitive financial data under assumptions of purely local behavior, increasing privacy, compliance, and trust risks.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The _default_template_path method calls resolve_template('YYNCC'), and the surrounding comments indicate that resolution may include automatic download. Because this occurs implicitly during mapper initialization and there is no user-facing warning or validation in this code path, an attacker controlling the remote source or network path could influence the template content or trigger unexpected outbound access.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: When in-memory OCR image handling fails, the parser saves full-page PNGs of bank statements to predictable local filenames like _ocr_page_{i}.png. Those files contain highly sensitive financial data and may persist on disk if the process crashes, is interrupted, or runs in a shared directory, exposing statement contents to other users or processes.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal