Vendor Compliance 1099

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent 1099 compliance workflow, but it handles sensitive accounting and tax data and depends on a local pipeline script that is not included in the reviewed artifact.

Before installing or using this skill, inspect and trust the referenced local Python pipeline, confirm it uses a read-only QBO token for the intended client, and treat the generated workbook and .cache/vendor-compliance-1099 files as sensitive client tax records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill handles sensitive financial and tax-related data, including full-year General Ledger records plus locally persisted W-9/TIN status and year-over-year vendor snapshots, but the user-facing description does not clearly warn about that data access and local retention. This creates a meaningful transparency and privacy risk because an operator may run the skill without realizing it will process broad accounting data and leave sensitive compliance artifacts on disk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal