Back to skill

Security audit

Invoice

Security checks across malware telemetry and agentic risk

Overview

This invoice skill is mostly coherent, but it can write sensitive invoice data to GitHub and may trigger email delivery after broad confirmations like “OK” or “Ja.”

Install only if you are comfortable giving the skill write access to a dedicated private invoice repository. Use a fine-grained GitHub token limited to that repository, review every preview carefully, and treat short replies like OK or Ja as approval to persist invoice data and potentially trigger PDF generation or email sending.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill invokes shell scripts (`get-next-number.sh`, `calc-preview.sh`, `push-invoice.sh`, `get-invoices.sh`) while not declaring explicit permissions for shell execution. This creates a capability/permission mismatch that weakens reviewability and can hide the true execution surface, especially because the scripts handle repository writes and process user-influenced invoice JSON.

Vague Triggers

Medium
Confidence
96% confidence
Finding
Using a broad confirmation token like "OK" for uploading an invoice can cause unintended destructive actions, because users often say "OK" conversationally without meaning "publish business data to GitHub." In this skill, the action is especially sensitive because it writes invoice data containing business and personal information to a repository.

Vague Triggers

Medium
Confidence
98% confidence
Finding
Natural-language confirmations like "Ja" and "Hochladen" are too broad for a write action that persists sensitive invoice records to GitHub. They are vulnerable to accidental triggering, contextual confusion, and prompt-injection-style conversational manipulation where a user response intended for one question is interpreted as approval to upload.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The example shows that after the user confirms upload, the invoice is not only pushed to GitHub but also automatically triggers downstream PDF generation and email sending, yet this side effect is only disclosed after the upload succeeds. This is a real safety and security issue because users may authorize what they believe is a storage action without understanding it also initiates external transmission of billing data to recipients.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example shows the assistant preparing an offer and then asking whether to upload it, but the command flow omits any upfront warning that this action will create persistent business records on GitHub and may expose or modify customer and financial data. In an agent setting, examples strongly shape behavior; demonstrating state-changing operations without explicit confirmation and data-sensitivity warnings increases the risk of unintended uploads, disclosure of invoice contents, or accidental record creation.

Credential Access

High
Category
Privilege Escalation
Content
"env": [
    {
      "name": "GITHUB_TOKEN",
      "description": "GitHub Personal Access Token with contents:write permissions",
      "required": true
    },
    {
Confidence
90% confidence
Finding
Access Token

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.