ClawHub
Back to skill

Security audit

QBO Automation

Security checks across malware telemetry and agentic risk

Overview

This QuickBooks automation skill appears legitimate, but it can use powerful credentials to change live accounting records without enough safeguards or warnings.

Install only if you are comfortable letting an agent assist with QuickBooks workflows that can affect real books. Use a sandbox company first, store credentials in a managed secret store, avoid exposing refresh tokens in prompts or logs, use the least-privileged QBO account available, and require human review before any write to production accounting data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill states it is not for direct QBO OAuth setup, yet it includes code that performs a refresh-token exchange using client credentials and a refresh token. This inconsistency can mislead users about the skill's security boundary and encourages handling highly sensitive auth material inside the skill, increasing the chance of credential misuse or unintended token generation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to provide QBO client ID, client secret, refresh token, and realm ID via environment variables without an explicit warning about secret handling or the sensitivity of financial data sent to QuickBooks APIs. In an agent setting, this can normalize exposing long-lived credentials and transmitting accounting data without informed consent or least-privilege controls.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The examples create accounts and write to live QuickBooks resources without clearly warning that they mutate real accounting records. In accounting systems, unintended writes can corrupt ledgers, require manual cleanup, and create audit/compliance issues even if no external attacker is involved.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
def get_access_token():
    """Exchange refresh token for access token."""
    credentials = base64.b64encode(
        f"{os.environ['QBO_CLIENT_ID']}:{os.environ['QBO_CLIENT_SECRET']}".encode()
    ).decode()
    resp = requests.post(
        "https://oauth.platform.intuit.com/oauth2/v1/tokens/bearer",
Confidence
88% confidence
Finding
os.environ['QBO_CLIENT_SECRET']

Env Variable Harvesting

High
Category
Data Exfiltration
Content
},
        data={
            "grant_type": "refresh_token",
            "refresh_token": os.environ["QBO_REFRESH_TOKEN"]
        }
    )
    return resp.json()["access_token"]
Confidence
93% confidence
Finding
os.environ["QBO_REFRESH_TOKEN"]

Credential Access

High
Category
Privilege Escalation
Content
import requests, json, base64, os

def get_access_token():
    """Exchange refresh token for access token."""
    credentials = base64.b64encode(
        f"{os.environ['QBO_CLIENT_ID']}:{os.environ['QBO_CLIENT_SECRET']}".encode()
    ).decode()
Confidence
86% confidence
Finding
access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.