Debt payoff plan comparison

Security checks across malware telemetry and agentic risk

Overview

This skill clearly says it sends user-provided debt and mortgage details to a Loan Doctor planning API, and I found no hidden persistence, credential access, or destructive behavior.

Install only if you are comfortable sharing the entered financial details with the configured Loan Doctor endpoint. Confirm consent before each submission, avoid unfamiliar base-url overrides, prefer HTTPS destinations, and treat saved output JSON as sensitive financial information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script transmits the entire debt-planning payload to a remote service, and that payload can contain highly sensitive financial information such as balances, rates, payments, and home appraisal data. While the network call is functionally necessary for the skill, the lack of explicit disclosure or consent increases privacy and compliance risk because users or calling systems may not realize personal financial data is being sent off-host.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal