Subscription Revenue Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a finance analytics skill with disclosed Stripe/CSV accounting workflows, but users should handle billing API keys and customer revenue data carefully.

Install only if you are comfortable letting an agent work with subscription billing and revenue data. Use restricted or read-only API keys where possible, store secrets in environment variables or a secret manager instead of pasting live keys into commands or code, redact customer exports before sharing, and manually review any generated accounting entries before posting them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill includes examples using a live Stripe secret key placeholder (`sk_live_YOUR_KEY`) in both curl and Python. In a finance/investor-reporting skill, users may copy-paste these patterns into real environments, increasing the risk of exposing production credentials in shell history, scripts, logs, screenshots, or shared notebooks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal