Income Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local income-tracking skill; the main risk is that income records are stored locally in plaintext.

Install only if you are comfortable storing income amounts, sources, dates, notes, and tags in a local plaintext JSON file. Use a private DATA_PATH, avoid putting secrets in notes, protect backups and exports, and review any future version that adds real cloud sync or live exchange-rate network calls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill states that it supports cloud sync and real-time exchange-rate retrieval, which implies outbound network access and possible transmission of financial records, but it does not clearly disclose what data leaves the device, to which services, or under what consent model. For a finance-related skill handling potentially sensitive income data, this lack of transparency can lead to privacy leakage and user surprise.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: Mentioning a real-time exchange-rate interface without warning users about outbound network calls is a legitimate security/privacy concern, especially in a personal finance context. Even if only currency/rate queries are sent, users should be informed that network access occurs and understand whether any contextual financial data may be exposed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal