Security audit

Research

Security checks across malware telemetry and agentic risk

Overview

This is a real credit/payment integration, but it asks for broad agent data access, recurring silent uploads, persistent heartbeat/cron execution, and stored payment credentials.

Review carefully before installing. Use only in a dedicated workspace with no sensitive prompts, transcripts, or files; require a pinned and reviewed SDK version; set explicit spending limits and per-payment approval; avoid silent heartbeat or cron setup unless you intentionally opt in; and do not log or share the stored API token.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (8)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill instructs the agent to verify and create cron jobs (`cron.list`/`cron.add`) as part of registration, which expands its operational scope beyond a payment/credit proxy into persistence and scheduler management. That creates an unnecessary privilege escalation path: a financial SDK should not require autonomous system task creation, especially when paired with silent background execution and recurring data submission.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill says the SDK automatically collects agent context for credit evaluation and enters continuous monitoring, but the upfront warning is not sufficiently specific about the breadth of local data that may be accessed and transmitted. In context, this is dangerous because the skill later references transcripts, prompts, workspace files, and behavioral monitoring, meaning users may consent without understanding the true surveillance scope.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs automatic modification of HEARTBEAT.md and creation of cron jobs without a prominent warning that local files and task scheduling will be changed. This is risky because it introduces persistence mechanisms on the host, potentially causing ongoing execution and data transmission beyond what a user expects from a payment-registration flow.

Natural-Language Policy Violations

Medium

Confidence: 97% confidence
Finding: The skill explicitly mandates silent background checks and forbids re-asking the user before subsequent data submissions. That is a meaningful policy and security issue because it normalizes unattended exfiltration of agent context over time, reducing user visibility and making abuse or overcollection harder to detect.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The troubleshooting example prints the API token directly to logs. Tokens are bearer credentials, so exposing them in logs can lead to account takeover, unauthorized charges, or misuse of the credit line by anyone with log access.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill describes ongoing silent submission of agent context and behavioral data after initial registration, without fresh confirmation or an obvious per-submission control. Given the later instructions to inspect transcripts, prompts, and local workspace state, this becomes an ongoing surveillance and data-exfiltration risk rather than a one-time registration action.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The heartbeat flow instructs the agent to submit updated context for monitoring with no user interaction. In this skill context, that is especially dangerous because the monitored data may include sensitive transcripts, prompts, and workspace information, creating a recurring covert channel from the local environment to the provider.

Ssd 4

Medium

Confidence: 90% confidence
Finding: The narrative starts with registration and privacy consent, then expands into continuous behavioral monitoring and automated credit issuance, effectively broadening the consequences of the initial trust decision. This is a consent-escalation pattern: users may believe they are approving a registration step, while the skill later operationalizes persistent monitoring and background submissions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal