Security audit

记账工具

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local bookkeeping skill, but it needs review because it can install a global dependency and change, delete, import, or export sensitive financial records without clear confirmation gates.

Install only if you are comfortable with an agent managing local personal finance records. Prefer a local pinned dependency setup over the global npm install, keep backups of the SQLite database, and require explicit confirmation before delete, import, or export operations, especially when file paths are involved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to run `npm install -g better-sqlite3` if a dependency is missing, which grants the skill system-wide package installation capability unrelated to a narrowly scoped bookkeeping action. Global package installation modifies the host environment, can introduce supply-chain risk, and creates persistence beyond the current task, making this an unsafe escalation of privileges/capabilities.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill exposes destructive and privacy-impacting operations such as deleting transactions and importing/exporting financial records without an explicit warning or confirmation requirement. In a bookkeeping context, these actions affect sensitive personal financial data and can cause data loss or unintended disclosure if triggered mistakenly or by ambiguous user input.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The import command accepts a user-specified filesystem path, reads the file, and mutates the SQLite database in bulk without any confirmation, dry-run mode, or path restrictions. In an agent-integrated context, this can let a prompt or untrusted instruction trigger destructive or misleading financial-data changes from arbitrary local files, which is more dangerous because the skill is designed to act on natural-language bookkeeping requests.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.