BS Deep Analysis

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed QuickBooks balance-sheet reporting skill, but its reports and cache can contain sensitive financial details.

Install only where you expect the agent to access that QuickBooks company. Review the local pipeline script before running it, use secure output directories, and delete or protect generated Excel and cache files because they may include financial, vendor, payee, and transaction-level details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly states it pulls balance sheet, general ledger, and transaction-level drill-down data and generates an Excel workbook plus cache files, but it does not warn users that these outputs may contain sensitive financial and vendor/payee data stored locally. This can lead to accidental disclosure through insecure desktop directories, shared machines, synced folders, or improperly protected cache files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal