Back to skill

Security audit

Invoice From Email

Security checks across malware telemetry and agentic risk

Overview

The skill’s invoice workflow is mostly coherent, but it asks agents to handle and persist mailbox credentials in another skill’s config, which needs human review before installation.

Install only if you are comfortable granting this skill mailbox access and storing mailbox credentials locally. Prefer configuring the email skill through its own trusted setup flow, avoid printing .env contents, approve narrow date ranges before searches, and review where downloaded attachments, temporary files, and Desktop outputs will be stored.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to read another skill's .env file containing mailbox credentials and use those secrets to process email content. Cross-skill secret access breaks isolation boundaries and expands the blast radius: compromise or misuse of this skill can expose credentials and mailbox data unrelated to the immediate task.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill directs the agent to create or overwrite another skill's .env file with mailbox secrets, creating persistent credential storage outside its own trust boundary. This can overwrite existing configuration, leak secrets to unrelated workflows, and normalize unsafe secret handling by instructing the agent to manipulate raw credentials directly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow asks the agent to collect an email address and authorization code and write them to disk without an explicit warning that these are sensitive secrets. Users may not understand the persistence, scope, or risk of storing mailbox credentials locally, which increases the chance of accidental disclosure or unsafe reuse.

Ssd 3

High
Confidence
96% confidence
Finding
Reading stored email credentials from a local .env file and using them to access mailbox contents creates a direct path for sensitive data exposure. Because the skill then processes private emails and attachments into local artifacts, any misuse, over-broad prompting, or logging could disclose mailbox data and secrets in natural-language outputs or files.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to collect the user's mailbox address and authorization code and persist them in a .env file. That creates a durable secret exposure risk and makes later compromise of the host, workspace, or adjacent skills much more damaging because mailbox credentials remain available in plaintext-like configuration storage.

Ssd 3

High
Confidence
93% confidence
Finding
The core workflow performs broad search, download, extraction, parsing, and summarization of private email attachments into local directories and Excel outputs. Even if aligned with the feature goal, this is highly sensitive data handling: invoices, itineraries, ticket records, and related metadata can contain personal, financial, and travel information whose aggregation materially increases privacy risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.