Back to skill

Security audit

Global Purchase Order Recognition and Extraction(ADP)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Laiye ADP document-extraction skill, but it needs review because its packaged instructions expose broader document-processing and admin capabilities than purchase-order extraction requires.

Install only if you are comfortable using Laiye ADP as a cloud processor for order documents and storing an ADP API key locally. Prefer npm or reviewed release binaries over the pipe-to-shell installers, keep the agent limited to the built-in order extraction app, and avoid custom-app management or broad document parsing unless you explicitly intend to grant those capabilities.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README presents a general-purpose ADP CLI for broad document parsing, extraction, application management, and workflow automation, while the declared skill is narrowly scoped to purchase-order/sales-order extraction. This scope mismatch is dangerous because it can mislead an agent or user into invoking capabilities far beyond the approved purpose, increasing the attack surface and enabling unintended document access or processing.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Documenting custom application creation, update, deletion, and AI-generated field design introduces privileged platform-management functions unrelated to purchase-order extraction. In the context of an agent skill, this expands from data extraction into configuration and lifecycle control, which could let an agent modify extraction behavior, create unauthorized apps, or affect other workloads.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
Supporting extraction or parsing from arbitrary remote URLs is broader than a narrow purchase-order recognition skill and can cause the service to fetch attacker-controlled or unintended external content. While this is a common product feature, in agent context it increases risk of unauthorized outbound requests, data exfiltration paths, and misuse outside the intended document-processing workflow.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The README documents a general-purpose agentic document processing CLI rather than a narrowly scoped purchase-order extraction skill. This scope mismatch is dangerous because an agent or user selecting the skill based on its metadata could gain access to broader parsing and automation capabilities than expected, violating least privilege and enabling unintended data handling.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documented commands allow creating, updating, and deleting custom applications and AI-generating extraction configurations, which goes far beyond a fixed extraction skill. In an agent environment, this materially increases risk because the skill can mutate service-side configurations and create new workflows, potentially enabling privilege expansion, destructive changes, or misuse of paid cloud resources.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The README advertises generic parsing and extraction across invoices, receipts, certificates, bills, and general documents, not just purchase or sales orders. This broader capability makes the skill more dangerous in context because it invites processing of arbitrary documents and sensitive business records under the guise of a narrowly described order-extraction tool.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as a narrow purchase-order extraction capability, but it explicitly advertises and enables a broader general-purpose document-processing platform. That scope expansion increases the chance an agent or user will invoke unrelated capabilities with different data sensitivities and trust assumptions, violating least privilege and making the skill materially more dangerous than its stated purpose.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The skill includes authentication setup and account-related operations that are operationally necessary, but it does so without tight scoping or clear safeguards around secret handling. In an agent setting, prompting for API keys and exposing billing/credit commands can lead to credential leakage into chat history, logs, shell history, or shared context.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The app discovery flow allows listing all available ADP apps and selecting based on names, which exposes a path to use arbitrary platform capabilities beyond purchase-order extraction. In a constrained skill, this undermines capability boundaries and can cause an agent to access or process document types the user did not intend to authorize.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README instructs users to pipe a remotely fetched shell or PowerShell script directly into an interpreter without prior inspection or integrity verification. This is dangerous because any compromise of the source repository, transport path, or referenced script can result in immediate arbitrary code execution on the user's machine.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README includes one-line commands that fetch and immediately execute remote scripts, but gives no warning about the trust and integrity risks of running downloaded code. This is dangerous because any compromise of the hosting location, repository, network path, or referenced script can lead to arbitrary code execution on the user's machine.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to submit local documents and remote URLs to a third-party cloud service, but it does not clearly warn that potentially sensitive purchase-order data will leave the local environment. Because purchase orders commonly contain names, addresses, supplier data, pricing, and commercial terms, silent transmission to an external processor creates material confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installation instructions include piping remotely fetched shell and PowerShell scripts directly into an interpreter without any integrity verification or warning. If the remote source, repository, network path, or account is compromised, this can result in immediate arbitrary code execution on the user's machine.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill tells users to set and reuse an API key but does not adequately warn about secret exposure risks in command history, logs, screenshots, transcripts, or persisted agent memory. In an agent workflow, this omission is especially risky because secrets may be retained or replayed across sessions and tools.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.