Client Dashboard

Security checks across malware telemetry and agentic risk

Overview

The skill has a clear accounting purpose, but it relies on authenticated QuickBooks access and an external local pipeline that is not included in the reviewed package.

Install only if you trust and can inspect the referenced local pipeline script, know exactly which QuickBooks company/profile the qbo-client connection will use, and are comfortable storing client KPI snapshots under .cache plus generated Excel workbooks on disk. Treat both the workbook and cache as confidential client financial data and delete old cache files when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documentation does not clearly warn users that running it will access QuickBooks Online financial data, generate client-facing Excel reports, and persist a local CDC cache under .cache/client-dashboard/{slug}.json. This creates a transparency and consent gap: users may expose sensitive financial data to local storage or create distributable artifacts without realizing the data-handling side effects.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal