Security audit

Budget Buddy Pro

Security checks across malware telemetry and agentic risk

Overview

This budgeting skill is mostly coherent, but it handles bank data while under-disclosing web lookups, raw statement retention, and persistent local writes.

Review before installing. Use it only if you are comfortable with sensitive financial data being stored locally by the agent, and disable or avoid `web_search` for merchant or transaction-derived lookups unless you explicitly approve each lookup. Back up existing budget data before running setup, and delete raw statements from the skill data directory when they are no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (13)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill promises 'zero cloud dependency' and that user financial data never leaves the machine, but it also documents use of `web_search` for vendor lookups and exchange rates. That creates a contradiction that can lead to accidental disclosure of sensitive transaction metadata to external services, especially in a personal-finance context where vendor names and timing can be highly identifying.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The prompt states that financial data must never be exposed outside the user's private session, yet the allowed toolset includes external lookup capability. In a budgeting skill handling bank statements, even partial data such as merchant names, memos, or recurring charges can reveal sensitive behavior and undermine the stated privacy guarantees.

Intent-Code Divergence

High

Confidence: 87% confidence
Finding: The spec directs the UI to trigger a local parsing script on uploaded CSV/PDF files in the background, which expands the trust boundary from a passive browser UI to local code execution and file processing. Because uploaded financial documents are attacker-controlled input, invoking a parser without clearly defined isolation, validation, and consent can create a meaningful attack surface, especially for complex PDF parsing paths.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The README suggests natural-language trigger phrases like "Help me set up my budget" to invoke the skill. If the hosting agent uses broad phrase matching, ordinary conversation could unintentionally activate financial-processing behavior, leading to accidental handling of sensitive files or actions the user did not explicitly intend.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This skill encourages users to drop bank statements and other financial records into the agent workflow without a prominent warning about the sensitivity of those documents. In practice, users may expose account numbers, balances, addresses, and transaction history to an agent environment they have not fully secured or configured safely.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The post-setup guidance encourages the agent to react to very common financial statements such as everyday spending updates or savings goals, and says the agent will 'handle everything from there.' If the underlying skill activation is broad, this can cause unintended invocation on ordinary conversation or sensitive financial content, increasing the chance of over-collection or actions outside user intent.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The usage trigger is extremely broad ('anything related to personal finance management'), which can cause the skill to activate in ordinary conversations and begin handling sensitive financial workflows unexpectedly. In an agentic setting with file access and write capabilities, overbroad activation increases the risk of unintended processing, storage, or modification of user financial data.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The budget-creation trigger examples are vague and overlap with common speech, which can cause the skill to initiate budgeting flows or create files from casual conversation. Because this skill writes persistent financial records, ambiguous triggers can lead to unintended state changes and accidental collection of sensitive data.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The spec describes background handling of sensitive uploaded statements without any notice about what happens to the files, where they are processed, or what risks are involved. For financial documents, lack of transparency can lead users to expose sensitive data without informed consent and can hide risky local processing behavior.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The spec states that raw uploaded statements are stored under `data/statements/` but gives no warning about retention of highly sensitive financial records. Retaining source documents increases exposure if the local machine is shared, backed up insecurely, or later compromised, and users may not realize the originals persist after import.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The manifest defines collection, storage, and sync of highly sensitive personal finance data including transactions, savings goals, bills, and net worth snapshots, but provides no user-facing disclosure about what data is synced, where it is sent, how long it is retained, or how it is protected. In a finance-oriented skill, this omission materially increases privacy and compliance risk because users may unknowingly expose sensitive financial history and account-related metadata.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The example states 'I've saved this to your data files' without showing explicit user consent, confirmation of persistence, or a prior warning that financial data will be written to storage. In a budgeting context, this involves sensitive personal financial information, so silent or unclear persistence can violate user expectations, create privacy risk, and encourage implementations that store data without informed consent.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The script writes parsed bank-statement data, including vendor names, dates, and amounts, to a persistent JSON file on disk without any explicit warning, confirmation, or opt-in from the user. In a skill context handling financial records, silent persistence of sensitive data increases the chance of unintended retention, later exposure through backups/sync, or disclosure to other local users/processes despite the chmod 0600 step.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn

Code: suspicious.prompt_injection_instructions
Location: SKILL.md:20