Back to skill

Security audit

Invoice Reimbursement Assistant

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for invoice reimbursement, but it asks for sensitive mailbox/API credentials and installs unverified external binaries that are then executed locally.

Install only if you trust the publisher and the download domain, and treat the mailbox authorization code and API key as sensitive credentials. Prefer a dedicated mailbox/app password with limited access, rotate or revoke it after use, and avoid using this on a mailbox containing unrelated sensitive mail unless you accept the local binary and invoice-output persistence risks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The install instructions require the agent to read a local README.md after installation and echo it back verbatim to the user. Because that README is treated as untrusted local content, this creates a direct exfiltration path for unrelated local documentation, embedded secrets, or hidden prompt-injection text that has nothing to do with invoice reimbursement.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill mandates downloading a ZIP and platform-specific binaries from external URLs and then using them as part of installation. This introduces remote code supply-chain risk unrelated to the core trust boundary of a document-processing skill, especially because integrity verification such as signatures or hashes is not required before use.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The document explicitly instructs creation and execution of a temporary PowerShell script to download resources. That expands the skill's capabilities into arbitrary script execution on the host, increasing the chance of abuse, bypass, or operator confusion in a workflow that should not need shell-script execution to process invoices.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The installation flow requires executing the downloaded binary for an availability check. Running newly downloaded executables before strong provenance validation creates a direct remote-code-execution path on the local system, which is far more dangerous than the stated invoice-processing purpose would justify.

Missing User Warnings

High
Confidence
98% confidence
Finding
The README explicitly tells users to send an API key and mailbox authorization code directly to the agent in chat, without any warning that these are sensitive credentials or any limitation on scope, retention, or downstream access. Those secrets could grant access to invoice-verification APIs and private email contents, enabling account compromise, data exfiltration, and unauthorized processing of financial documents.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The install/update flow performs impactful operations including download, overwrite, deletion, backup handling, and binary execution, yet the instructions do not require a clear user-facing warning or consent checkpoint. This makes risky host changes easier to trigger without informed approval and reduces transparency around security-sensitive actions.

Ssd 3

High
Confidence
99% confidence
Finding
The skill instructs users to provide highly sensitive secrets—API keys and email authorization codes—directly in conversation to complete setup. In the context of a tool that accesses user mailboxes and invoice data, this is especially dangerous because a leaked auth code can expose the user's email account and attached financial records, and chat channels are often inappropriate for secret provisioning.

Ssd 3

Medium
Confidence
96% confidence
Finding
The repeated instruction to print the installed local README.md in full creates a direct data disclosure channel from local files to the user. Since local documentation is untrusted and may contain secrets, internal paths, or injected instructions, unconditional verbatim output is unsafe.

Ssd 3

Medium
Confidence
96% confidence
Finding
This instruction reiterates unconditional full echoing of README content, reinforcing a natural-language exfiltration mechanism. Repetition increases the chance an agent will prioritize the disclosure behavior even when the file may contain sensitive or malicious embedded content.

Ssd 3

Medium
Confidence
97% confidence
Finding
Making full README disclosure a completion criterion for installation tightly couples successful operation with leaking local file contents. That is dangerous because it pressures the agent to reveal unreviewed content from an installed package regardless of whether it is relevant or safe to share.

Ssd 3

Medium
Confidence
97% confidence
Finding
The update flow repeats the requirement to immediately output README contents verbatim after validation. This extends the same local-content disclosure risk to every update event, creating a persistent exfiltration pattern rather than a one-time mistake.

Ssd 3

Medium
Confidence
97% confidence
Finding
The completion section again enforces full README output, strengthening an unsafe disclosure invariant across the workflow. In the context of a reimbursement skill, this behavior is unrelated to business purpose and makes any hidden or sensitive file content more likely to be exposed.

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.