Back to skill

Security audit

george

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real banking automation skill, but it includes payment-order upload/signing and local reusable session-token storage that need manual review.

Install only if you intentionally want an agent involved with your George banking session. Treat the workspace george directory, token.json, debug files, and outputs as sensitive banking material; run logout after use. Avoid the data-carrier upload/sign commands unless you explicitly intend to process payment/order files, and prefer using this only on a trusted, private machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill exercises sensitive capabilities including network access, filesystem reads/writes, shell execution, and environment access, yet the manifest does not declare permissions or clearly scope those powers. In a banking automation context, undeclared capabilities reduce transparency and prevent users or enforcement layers from understanding that the skill can access credentials, session state, downloaded statements, and potentially invoke external tools.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The declared purpose says the skill only handles login/logout, account listing, and transaction fetching, but the documented behavior includes materially more sensitive operations such as downloading statements, exporting banking data, portfolio access, and uploading/signing payment orders. This mismatch can mislead users and reviewers into granting trust to a skill that can initiate or authorize financial operations beyond read-only access.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The documentation explicitly exposes datacarrier upload and signing workflows even though the manifest frames the skill as a simpler banking information retriever. In the banking context, hidden or under-disclosed payment initiation/signing functionality is especially dangerous because it can enable unauthorized or unexpected money movement if an agent or user assumes the skill is read-only.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The summary and description present a narrower scope than the actual documented feature set, omitting portfolio access and datacarrier workflows. While similar to the other disclosure issues, this broader presentation problem still matters because users may underestimate the sensitivity and authority of the skill when deciding whether to install or invoke it.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata describes read-oriented banking automation, but the code also supports data-carrier upload and signing, which can initiate or authorize financial operations. In a banking context this is materially more dangerous than account listing or transaction retrieval because it expands capability from observation to action.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file implements statements, data exports, and securities/portfolio access beyond the narrower manifest description. In financial automation, undeclared access to additional categories of sensitive data increases privacy and operational risk because users and orchestrators may grant trust based on an incomplete scope description.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup documentation explicitly states that session tokens are cached in `{workspace}/george/token.json`, but it provides no warning that this file is sensitive authentication material. Anyone with filesystem access to the workspace may be able to reuse or extract the token, reducing the protection provided by interactive 2FA and enabling unauthorized access to banking sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document recommends persisting authenticated banking access tokens in a local token cache for session reuse, but it does not specify strong protections such as encryption at rest, restrictive file permissions, secure OS-backed secret storage, or explicit user consent. If those tokens are stored insecurely, any local compromise, malware, or accidental disclosure of the state directory could allow unauthorized access to the user's banking session without re-authentication.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The verification code is printed to stdout, which may be captured by orchestration logs, terminals, chat relays, or other observers. In this skill's context, the code is part of a banking login approval flow, so exposing it can aid session hijacking or leak sensitive authentication material to unintended parties.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill persists bearer access tokens to disk in `token.json`. Even with restrictive permissions, disk persistence of banking tokens increases the blast radius of local compromise, backup leakage, workspace sharing, or accidental exfiltration of state directories.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/george.py:285