Back to skill

Security audit

Taxi Expense

Security checks across malware telemetry and agentic risk

Overview

This skill appears to locally turn taxi receipt screenshots into reimbursement spreadsheets, with expected but privacy-relevant storage of travel data.

Install only if you are comfortable with taxi dates, locations, amounts, redacted screenshots, and spreadsheets being stored locally. Review the generated Excel before sharing it, confirm any Telegram recipient manually, and delete the local taxi_expense outputs when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill instructs the agent to execute shell commands (`bash setup.sh` and `node process.js`) but does not declare permissions or clearly constrain what those commands may access. In an agent environment, undeclared shell capability weakens user awareness and policy enforcement, and the setup step also implies filesystem modification and dependency installation that could expand the attack surface.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill description emphasizes OCR, masking, and Excel generation, but the documented behavior also persists a local order history database, applies reimbursement-policy filtering, and performs network access during setup to download OCR data. This mismatch can mislead users about data retention, external connectivity, and business-logic decisions, increasing the risk of privacy surprises and unintended processing of sensitive travel records.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The chat trigger word “处理” is overly broad and can easily appear in normal conversation, increasing the chance that the skill activates on unintended user messages. In this skill’s context, accidental activation could cause OCR processing of screenshots and creation of local reimbursement artifacts without clear user intent, which is a meaningful privacy and workflow safety issue.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README says processed reimbursement data will be sent back to the user, but it does not clearly disclose that the skill also writes monthly Excel files, JSON order data, and redacted screenshots to local storage. Because the skill handles taxi order screenshots containing sensitive location and expense information, insufficient disclosure of retention and storage behavior creates a real privacy risk and may cause users to unknowingly leave persistent sensitive data on disk.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger condition, 'When user sends taxi order screenshots,' is broad and can cause the skill to activate on any image that appears related, without requiring explicit user intent to run OCR, store data, or generate reimbursement artifacts. Because the skill processes sensitive screenshots and writes results to persistent local storage, overbroad activation raises the chance of unintended handling of personal travel information.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.