Back to skill

Security audit

Conto

Security checks across malware telemetry and agentic risk

Overview

This looks like a real Conto payment-policy skill, but it gives an agent high-impact authority to change spending controls and move funds with limited confirmation safeguards.

Install only if you intend to let the agent interact with Conto payment controls. Prefer a Standard SDK key for normal payment approval, keep Admin keys out of auto-running chat agents, require explicit human confirmation before transfers and before creating, replacing, or deleting policies, and monitor Conto dashboard activity after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is described as enforcing payment checks before funds leave a wallet, but it also exposes full policy-administration operations including creation, modification, and deletion of policies and rules. In an agent setting, this significantly broadens the authority surface: a caller expecting a read/check tool could instead weaken or remove protections, enabling subsequent unauthorized payments.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script includes destructive administrative capabilities such as delete-policy, set-rules, and delete-rule that can directly remove or replace spending controls. Because this skill operates in the context of wallet-protection workflows, these actions can be abused to disable safeguards immediately before executing transfers, undermining the skill's stated security purpose.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README says the skill can activate automatically when users 'mention policies/payments naturally,' which is overly broad for a high-risk financial skill. In a wallet/payment context, ambiguous matching can cause the agent to invoke policy-management or payment-approval logic during ordinary conversation, increasing the chance of unintended financial controls or side effects.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README encourages creating, deleting, and managing live spending policies but does not prominently warn that these changes can immediately block legitimate payments, loosen controls, or require human approvals unexpectedly. In a financial enforcement skill, missing warnings and guardrails can lead users to apply destructive or overbroad policies in production without understanding the operational impact.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation criteria apply to essentially any transaction that moves value, without tight boundaries or exclusion rules. Overbroad triggering increases the chance the skill intercepts unrelated flows and autonomously inserts payment-gating or admin behavior into user requests where it was not clearly intended.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to execute wallet transfers after policy approval and says not to ask the user to execute them. That removes a final user-confirmation barrier before funds move, which is especially risky because policy approval is not equivalent to user authorization for a specific transaction.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Administrative delete and rule-replacement actions are executed immediately with no interactive warning, dry-run, or confirmation barrier. In agent-driven environments, accidental invocation, prompt injection, or ambiguous user intent can therefore result in permanent removal or replacement of financial guardrails without the operator realizing it until after policies have changed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.