Back to skill

Security audit

SOLO.ro cli

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it says, but it gives an agent access to sensitive accounting data and write actions without enough safety guidance.

Install only if you trust the Homebrew tap and the SOLO.ro CLI it provides. Protect the config and cookie files as credentials, and do not allow an agent to run upload or queue delete commands unless you have explicitly confirmed the account, file, and queue item ID.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The help text documents mutating capabilities such as queue deletion and file upload even though the skill description frames the tool primarily as a monitoring and interaction aid for accounting data. This mismatch can cause an agent or user to invoke state-changing operations under a read-oriented trust assumption, increasing the risk of unintended deletion or transmission of sensitive financial documents.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents a destructive command (`queue delete <ID>`) with example usage but provides no warning, confirmation guidance, or recommendation to verify the target ID first. In an accounting context, deleting queued financial documents can cause data loss, workflow disruption, or accidental removal of records the user intended to retain.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to place SOLO.ro username and password in a local JSON config file and emphasizes that credentials are stored locally, but it does not warn about the sensitivity of that file or advise file-permission hardening and safer secret handling. If the workstation is shared, compromised, or backed up insecurely, plaintext credentials and cached session cookies could be exposed and reused to access accounting data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Documenting `queue delete <id>` without any caution, confirmation semantics, or warning makes destructive behavior easy to trigger accidentally, especially when an agent may translate user intent into commands. In an accounting workflow, deleting queued expense items can lead to loss of work, missed processing, or integrity issues in financial records.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The `upload <file>` command sends a local document into the accounting platform, but the help text gives no notice that sensitive files may be transmitted or stored remotely. In a finance context, uploaded invoices and receipts often contain personal and business data, so omission of privacy and destination warnings can cause inadvertent data exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.