Security audit

02 Smb Invoice Tracker

Security checks across malware telemetry and agentic risk

Overview

The skill is an invoice ledger with external LLM use, but it overstates sensitive automation such as Gmail scanning, scheduled reminders, Telegram digests, and message sending.

Review before installing. Treat this release as a local invoice-tracking CLI, not a complete automated Gmail and reminder system. Do not connect real client or financial data unless you are comfortable with invoice details being stored locally and potentially sent to the configured LLM endpoint; require manual review of any generated reminder before using it with clients.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (9)

Tainted flow: 'req' from os.environ.get (line 137, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: "User-Agent": USER_AGENT, } ) with urllib.request.urlopen(req, timeout=30) as r: result = json.loads(r.read()) return result["choices"][0]["message"]["content"].strip() except Exception as e:
Confidence: 89% confidence
Finding: with urllib.request.urlopen(req, timeout=30) as r:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill describes capabilities that imply network access, local state updates/exports, and use of credentials, but it declares no permissions or equivalent consent boundaries. In a privacy-sensitive workflow that scans Gmail and sends outbound reminders, undeclared capabilities can bypass user expectation and platform review, increasing the risk of unauthorized data access, message sending, or file generation.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: This is a mismatch because the description presents an automated workflow centered on Gmail scanning, LLM extraction of invoice amounts/due dates, and sending reminders via WhatsApp or email. In reality, the Gmail functionality is only a placeholder with no real API integration, there is no code that extracts invoice details from scanned emails, and reminder sending only generates and prints message text rather than actually delivering it through email or WhatsApp. The code's primary behavior is instead a local command-line invoice ledger with manual add/list/mark-paid/report/configure operations. It does include cash flow reporting and reminder text generation, which partially aligns with the description, but the core advertised automation is not implemented, and the code also contains notable capabilities not mentioned in the description.

Description-Behavior Mismatch

Low

Confidence: 84% confidence
Finding: The skill states it produces a daily Telegram digest, but that outbound notification channel is omitted from the manifest description. Hidden or undocumented outbound channels matter because they can transmit invoice status, due dates, and other business-sensitive metadata to third-party services without users understanding the full data flow.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: Broad trigger phrases like 'cash flow' or 'track invoices' can cause the skill to activate in conversations where the user did not intend Gmail scanning, ledger updates, or automated reminders. In a skill that handles sensitive email content and can send outbound communications, accidental activation raises privacy and integrity risks by initiating data access or actions without sufficiently specific user intent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill description does not prominently warn that it scans Gmail for invoice-related emails and can send automated reminders through email or WhatsApp. Because this involves processing potentially sensitive financial correspondence and initiating external messages, insufficient disclosure weakens informed consent and can lead to privacy violations, accidental client contact, or reputational harm.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The marketplace copy promotes scanning Gmail and sending automated reminders via WhatsApp or email without clearly warning users that the skill will access potentially sensitive email content and initiate outbound messages on their behalf. This can mislead users about privacy, consent, and automation risks, increasing the chance of unexpected data exposure, unauthorized messaging, or compliance issues if deployed without informed consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The reminder flow transmits invoice data to an external LLM service without explicit disclosure or consent at the point of use. In an invoice-tracking skill, payer names, amounts, due dates, and notes can contain confidential business information, making undisclosed third-party sharing a real privacy and compliance risk.

Ssd 1

Medium

Confidence: 88% confidence
Finding: User-controlled invoice note text is inserted directly into the LLM prompt as if it were trusted invoice context. A crafted note can semantically instruct the model to alter the reminder content, include unintended text, or ignore the intended style/output constraints, which is especially relevant because the generated message may be reused in customer communications.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal