Security audit

Ntriq X402 Invoice Extract

Security checks across malware telemetry and agentic risk

Overview

This skill does invoice extraction through a paid remote API, but it misleadingly says there is no cloud upload while sending invoice data to that service.

Review before installing. Use this only for invoices you are comfortable sending to ntriq's remote service, verify its privacy and retention terms, and keep x402 wallet approvals or spending limits tight because each call can spend USDC.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill advertises invoice extraction but does not clearly warn users that invoice images or extracted billing data are transmitted to a remote paid endpoint. Because invoices commonly contain sensitive financial and personal data, this omission can mislead users into sharing confidential documents without informed consent, increasing privacy, compliance, and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.