ezBookkeeping API Tools

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate ezBookkeeping helper, but it exposes sensitive finance and session-management actions that need review before agent use.

Install only if you intend the agent to access and modify your ezBookkeeping server. Prefer a dedicated least-privilege token, avoid broad home-directory .env discovery where possible, restrict token file permissions, and treat tokens-revoke as an admin/destructive command that should be used only with explicit intent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill description says it is for recording/querying transactions and retrieving bookkeeping reference data, but the implemented command set also exposes token/session management, account creation, category/tag creation, and server version enumeration. This mismatch expands the agent's authority beyond the declared purpose, increasing the chance that a caller can trigger unexpected administrative or destructive actions without informed user consent.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The script includes token listing and token revocation operations, which are security-sensitive account/session management features not justified by the stated bookkeeping purpose. In an agent setting, these commands can be abused to enumerate active sessions or revoke tokens, causing account disruption or enabling follow-on attacks against authentication state.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The script automatically searches for and loads credentials from environment variables and `.env` files in the current directory, parent directory, and the user's home directory. In an agent context, this broad secret discovery behavior exceeds the declared bookkeeping purpose and may unintentionally consume unrelated credentials from locations the user did not expect the skill to inspect.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill exposes session-management operations (`tokens-list`, `tokens-revoke`) that are unrelated to the stated bookkeeping scope. In an agent setting, this materially expands authority from finance data access into authentication/session administration, enabling enumeration or revocation of active sessions if the skill is invoked unexpectedly or by prompt manipulation.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Session enumeration and revocation are privileged identity/security operations that are unjustified for a personal finance bookkeeping skill. Because the tool is designed for agent use and already consumes an API bearer token, these commands could be abused to inspect active sessions or disrupt access by revoking tokens, which is more dangerous than ordinary bookkeeping writes.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation tells users to store a live API token in a home-directory .env file without warning about file permissions, accidental commits, or exposure to other local processes and tools. In this skill's context, the token enables financial-data access and potentially broader account actions, so insecure storage can lead to unauthorized access or destructive API operations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The token revocation command performs a destructive POST action with no explicit confirmation, dry-run, or warning beyond printing the API call. In an agent workflow, a prompt injection or simple operator mistake could revoke active sessions immediately, causing denial of service or forcing reauthentication.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script advertises required credentials via environment variables, and later auto-loads them from `.env` files, without a clear user-facing warning that local credential files may be read. In an agent setting, hidden credential acquisition undermines transparency and can surprise users who did not intend this skill to inspect nearby or home-directory secrets.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: `tokens-revoke` performs a destructive security-sensitive action without any interactive confirmation, dry-run, or additional safeguard. In an agent/tooling context, a mistaken or manipulated invocation could immediately invalidate sessions and cause denial of service for the user or other clients.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal