crs-report-generator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to work locally for CRS report generation, but it should be reviewed because its redaction claims conflict with code that can write sensitive financial identifiers into an Excel file.

Install only if you intend to process sensitive financial PDFs locally. Treat both the input PDFs and generated Excel files as confidential, do not rely on the stated automatic redaction, and manually inspect or remove names, account numbers, tax identifiers, balances, and transaction details before sharing the report.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill is explicitly designed to ingest highly sensitive financial PDFs containing personal and account data, yet the description provides no explicit privacy, retention, consent, or secure-handling requirements. In a tax-reporting workflow, this omission increases the risk of unauthorized disclosure, over-collection, improper storage, or accidental propagation of regulated financial information into generated outputs.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal