Back to skill

Security audit

Global Invoice Recognition and extraction(ADP)

Security checks across malware telemetry and agentic risk

Overview

This is a real invoice-extraction helper, but it asks users to send sensitive financial documents to a cloud service while bundling broader document-processing and app-management instructions than the invoice-only purpose suggests.

Install only if you are comfortable using Laiye ADP's cloud service for invoices and related business documents under its API, billing, privacy, and retention terms. Use a scoped API key if available, avoid the custom-app administrative commands unless you intentionally want to manage ADP configuration, and choose secure local export paths for extracted results.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The README describes a much broader document-processing and application-management CLI than the skill metadata advertises. This scope mismatch is security-relevant because an agent or user may invoke capabilities such as generic parsing, remote URL handling, task querying, or custom app management that exceed the expected invoice-only extraction boundary, increasing the chance of unintended data exposure or misuse.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Documenting custom application creation, update, and deletion introduces a materially broader control surface than simple invoice extraction. In an agent skill context, this can let the skill alter extraction behavior or manage other applications unexpectedly, which violates user expectations and can enable unauthorized workflow changes or data handling beyond the advertised purpose.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Generic document parsing is broader than invoice field extraction and may process arbitrary documents, not just invoices. In this skill context that makes the issue more dangerous, because users may trust the skill with invoice-limited semantics while the underlying tool can ingest and transform unrelated sensitive documents.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README presents this skill as a wrapper around a broad, general-purpose document-processing CLI rather than a narrowly scoped invoice-only extractor. That scope mismatch is security-relevant because agents may be induced to perform parsing, extraction, and workflow actions on arbitrary documents beyond the declared capability, increasing the risk of unintended data exposure and overbroad tool use.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
Documenting custom application lifecycle operations in an invoice extraction skill materially expands its authority beyond simple field extraction. In an agent context, create/update/delete capabilities can let the skill reconfigure downstream behavior or manipulate extraction logic, violating least privilege and enabling unintended state-changing actions.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Application-management capabilities are not justified by the stated invoice-recognition purpose and create unnecessary privilege in the skill context. Even if not overtly malicious, exposing management functions increases the chance that an agent uses the tool for unrelated administrative actions or accesses broader document-processing resources than intended.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Custom app creation, update, deletion, and AI field-generation are context-inappropriate for an invoice extraction skill and represent powerful configuration-changing operations. In an agentic environment, these functions could be abused to alter extraction schemas, create covert exfiltration-oriented workflows, or disrupt existing applications, making the mismatch more dangerous than in a purely human-operated admin tool.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README shows remote URL processing but does not clearly warn that document URLs and fetched content are sent to an external ADP cloud service. This is a real data-transmission transparency issue: users or agents may submit invoices or other financial documents assuming local-only handling, leading to unanticipated third-party disclosure of sensitive business data.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README encourages processing remote URLs and exporting/querying results while not clearly warning that documents and extracted data may be transmitted to a public cloud service and written to local storage. In the context of invoice processing, this is significant because invoices often contain financial, tax, vendor, and personal data, so silent transmission or persistence can create confidentiality and compliance issues.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to send invoices, receipts, and extracted financial fields to a third-party remote ADP service, but it does not prominently warn that these files may contain sensitive financial, personal, or tax information. In a document-processing skill focused on invoices, the absence of explicit privacy, retention, and consent guidance increases the risk of unintentional data exposure or policy violations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The command examples directly encourage uploading local files, URLs, and Base64-encoded invoice content without warning that invoices commonly contain PII, payment data, addresses, tax IDs, and commercially sensitive information. Because the skill is explicitly designed for accounts payable and cross-border document processing, users are likely to handle real confidential business records, making this omission materially risky.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.