plaid

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Plaid CLI helper for financial account data, with sensitive but purpose-aligned access and no evidence of hidden or malicious behavior.

Install only if you trust the external plaid-cli module and are comfortable letting an agent query Plaid-linked balances and transactions. Protect ~/.plaid-cli, avoid printing access tokens, and only set up cron monitoring intentionally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The example triggers are broad natural-language requests that can overlap with ordinary conversation and may cause this finance skill to activate without sufficiently explicit user intent or account-selection context. In a banking context, accidental activation is more dangerous because it can lead to querying sensitive balances or transaction history from linked financial accounts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal