George Banking Automation

Security checks across malware telemetry and agentic risk

Overview

This banking automation skill can access sensitive account data, cache bank session tokens, and initiate payment-file signing, but those high-impact powers are not fully clear from the short description.

Install only if you intentionally want an agent to automate George banking. Use a private workspace on a trusted machine, run logout after use, avoid --debug unless you need raw financial payloads, and personally verify every data-carrier upload and signing approval in the bank app before confirming it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill exercises sensitive capabilities including network access, shell execution, file reads/writes, and environment access, yet the manifest does not declare permissions or warn consumers about this trust boundary. In a banking automation context, undeclared capabilities are especially dangerous because they can access credentials, session tokens, account data, and potentially perform financial actions without clear user consent.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The description frames the skill as read-oriented banking automation, but the actual documented behavior includes high-risk write operations such as payment/data-carrier upload and signing, plus broader data extraction than advertised. This mismatch can mislead users, reviewers, and policy engines into granting approval for what appears to be a low-risk account-query skill when it can also initiate or approve financial workflows.

Description-Behavior Mismatch

High

Confidence: 79% confidence
Finding: The top-level description omits portfolio retrieval even though the documentation says the skill fetches stock/depot portfolio data. While less severe than hidden payment features, this still broadens the scope of sensitive financial data accessed beyond what a user may expect, increasing privacy and data-handling risk.

Description-Behavior Mismatch

Medium

Confidence: 79% confidence
Finding: The top-level description omits portfolio retrieval even though the documentation says the skill fetches stock/depot portfolio data. While less severe than hidden payment features, this still broadens the scope of sensitive financial data accessed beyond what a user may expect, increasing privacy and data-handling risk.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The document describes capturing an Authorization header during an authenticated browser session to make internal API calls, which materially increases capability beyond simple UI automation. In a banking context, bearer-token capture creates a reusable secret that can enable direct account access outside normal UI controls, making compromise or misuse significantly more dangerous.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The proposed persistent token cache stores a live banking access token in a profile directory for reuse across commands. If that file is read by another local process, backed up insecurely, or left behind on shared systems, an attacker could replay the token to access sensitive banking data without re-authentication.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The published scope says the skill handles login/logout, account listing, and transactions, but the code also supports statement downloads, data export downloads, datacarrier uploads, and datacarrier signing. In a banking automation context, hidden capability expansion is dangerous because users or orchestrators may grant trust and permissions based on an incomplete description while the skill can initiate higher-risk financial operations.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The code retrieves securities/depot account information and holdings, which goes beyond the declared account-and-transaction scope. In a financial setting this expands access to additional sensitive asset data that operators may not expect the skill to handle.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The notes disclose that session state is stored on disk, but the skill description lacks an explicit warning about persistent authentication artifacts. For a banking skill, local cookies, tokens, and browser profile data are highly sensitive; if users are not clearly warned, they may run the skill in shared or insecure environments and leave recoverable auth state behind.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documentation proposes writing bearer access tokens to `token.json` without any warning or consent around credential storage risk. In a banking skill, silently storing reusable authentication material materially elevates the chance of account data exposure or session hijacking from local compromise.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: When --debug is enabled, the script writes raw bank-native payloads to disk, including account, transaction, portfolio, and potentially other sensitive financial data. Although permissions are hardened, users are not explicitly warned at enablement time about the breadth and sensitivity of the persisted data, increasing risk of accidental retention and exposure.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal