sure-finance-skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Sure Finance API helper that can read and change financial records, but its authority matches its stated purpose and is mostly guarded by user-directed instructions.

Install this only if you want an agent to work with your Sure Finance data. Keep the API key scoped and stored in environment variables, verify SURE_BASE_URL before use, review any create/update/delete/import request before it is sent, and inspect downloaded compose files before using the optional self-hosting workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The playbooks include state-changing operations such as patching transactions, creating transactions, and importing CSV data, but they do not warn that these actions modify user financial records or recommend explicit confirmation before execution. In a finance skill, silent or insufficiently signposted write actions increase the risk of accidental data alteration, bulk import mistakes, and user confusion about irreversible or hard-to-audit changes.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal