Simplify Budget Expense Tracker

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a budget-sheet tool, but it includes under-scoped financial mutation paths and an unrelated local session-pruning script that users should review before installing.

Install only if you are comfortable granting this package editor access to your budget spreadsheet. Before use, reconcile the recurring-payment scope, add an explicit confirmation step for recurring deletes, protect the Google service account key outside the repo with restrictive permissions, and remove or ignore the unrelated session-pruning script unless you deliberately want that local OpenClaw maintenance behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (24)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The README advertises recurring item create/update/delete capabilities, while the declared skill scope says recurring support is read-only for schedule questions. This kind of scope drift is dangerous because an orchestrating agent may rely on the README and invoke mutation paths the skill was not supposed to expose, leading to unauthorized spreadsheet changes.

Description-Behavior Mismatch

Low

Confidence: 80% confidence
Finding: The README claims receipt-based logging and learned category aliases that are not declared in the manifest. Undeclared capabilities can cause agents or operators to trust features that bypass expected review boundaries, especially if image/receipt parsing or persistent learning writes are performed without being part of the approved interface.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The behavior notes say the LLM may suggest a category when it does not know the item and then learn that alias, which directly contradicts the skill metadata requirement that categories are hardcoded and must never be invented. In a financial-records skill, this is more dangerous because invented or drifted categories can silently corrupt budgeting data, route entries to invalid buckets, and undermine later edits, reporting, and user trust.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The manifest/description says recurring support is read-only, yet the skill documents add, update, and delete operations on recurring rows. That inconsistency can mislead users into invoking the skill under the assumption that recurring data cannot be modified, increasing the risk of unauthorized or accidental destructive changes.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The documentation first frames recurring queries as read-only, then later provides mutation workflows for the same data set. Mixed messaging around read-only vs. write behavior is especially risky in a financial-record skill because it can cause the agent or user to perform destructive changes under incorrect assumptions.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: This wrapper exposes a destructive delete_recurring operation that is not disclosed in the manifest/declared skill behavior. That mismatch is dangerous because it expands the skill's effective capabilities beyond what users, reviewers, and policy controls may expect, enabling unauthorized deletion of recurring schedule data through a hidden or undocumented path.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill metadata explicitly says recurring functionality should be limited to read-only schedule questions, but this wrapper exposes create, update, and delete paths for recurring entries. That is a real capability expansion: an agent or prompt that believes the manifest can only read recurring schedules could still modify future financial records, causing unauthorized persistent changes.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The manifest says categories are hardcoded and must be chosen from an exact list, but the wrapper exposes a learn_category_alias capability that can change category-resolution behavior over time. This undermines the declared trust boundary and can silently steer future classifications into unintended categories, affecting integrity of financial data.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The conversation_bridge capability is outside the stated budgeting operations and creates an undeclared execution surface. Any undeclared bridge mechanism increases the chance of prompt injection, policy bypass, or hidden tool-routing behavior because reviewers and callers cannot reason about its scope from the manifest.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script implements a learning path that stores new category aliases via `learn_category_alias.sh`, even though the skill metadata explicitly says categories are hardcoded and must never be invented. This creates policy drift: user input can expand the accepted category vocabulary over time, weakening control over a finance-recording workflow and potentially causing misclassification or persistence of unintended labels.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The exposed `learn` action advertises and enables a training capability that is not necessary for the stated purpose of logging and managing budget entries in a fixed-schema Google Sheet. Unnecessary mutation features increase attack surface and allow user-driven state changes that can alter future behavior in ways the manifest does not disclose.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill metadata says recurring schedules are read-only, but this script implements a destructive delete operation by clearing recurring data in the sheet. That capability mismatch is dangerous because an agent or caller could invoke behavior the user would not reasonably expect or authorize based on the manifest, causing unauthorized modification of budgeting records.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The helper performs outbound FX retrieval and conversion logic that is outside the core stated purpose of logging and editing budget-sheet data. In a budgeting skill, this expands the trust boundary to a third-party service and can alter stored financial records based on external data, creating integrity and privacy risks that users may not expect.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script makes an unjustified outbound request to the ECB and caches the result locally, introducing a non-obvious external dependency for a sheet-management skill. Even though the Google token is not sent to ECB, the network call creates unnecessary supply-chain, availability, and data-integrity risk because budget values may depend on unverified external content.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The skill metadata explicitly says categories are hardcoded and must never be invented, but the parser also loads additional aliases from a writable JSON file on disk and uses them to influence category resolution. That creates a hidden trust boundary: anyone who can modify the learned alias file can steer transaction classification in ways not visible in the documented hardcoded list, undermining integrity of financial records and agent behavior.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This script manipulates local OpenClaw/Telegram session state by pruning and archiving session files under ~/.openclaw, which is unrelated to the stated budgeting and Google Sheets functionality of the skill. In this context, hidden session-state modification can disrupt unrelated agent conversations, erase operational context, and create an avenue for unauthorized tampering with agent state outside the user's expected scope.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The code provides a local capability to enumerate, move, and rewrite agent session state, including deleting entries from sessions.json after archiving files. For a budgeting skill, this is unjustified privileged behavior and expands the attack surface by allowing the skill to interfere with local agent infrastructure rather than only budget data.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script's behavior conflicts with the declared skill scope: the metadata says recurring functionality is limited to read-only schedule questions, but this file performs an authenticated update to recurring rows. This creates a capability mismatch that can mislead users or higher-level policy layers, enabling unauthorized state changes in financial data under the guise of a read-only feature.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The script creates and writes recurring schedule entries to the Recurring sheet, but the skill metadata explicitly says recurring schedule functionality is read-only. That mismatch is a real integrity and authorization problem because an agent or user relying on the manifest could trigger state-changing behavior they did not consent to, altering financial automation data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The setup instructs users to store and use a Google service account JSON key for spreadsheet access, but gives no guidance on protecting the key, restricting IAM permissions, avoiding repo storage, or limiting sheet sharing. That omission can lead to credential exposure or over-privileged access, which would allow unauthorized reads or writes to the budget spreadsheet and potentially other Google resources tied to the service account.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill documents delete workflows for recurring items without requiring an explicit warning that records will be cleared. In a financial tracker, destructive actions on ledger/schedule data can cause loss of planning and audit information if triggered accidentally or misunderstood by the user.

Missing User Warnings

High

Confidence: 95% confidence
Finding: Recurring-entry deletion is both destructive and outside the manifest's declared read-only recurring scope, so the lack of any confirmation is more dangerous here than for ordinary documented deletes. An agent relying on the manifest could unknowingly delete scheduled future transactions, creating lasting integrity issues in the budgeting system.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script performs an immediate destructive clear request against the spreadsheet without any built-in confirmation, preview, or safety interlock. In an agent setting, this increases the chance of accidental or coerced deletion of recurring schedule data, especially when IDs are selected from prior tool output.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script silently moves session files to an archive directory and rewrites the session index without any disclosure, prompt, or audit-oriented notification to the user. Even if intended as maintenance, undisclosed mutation of session state can cause loss of continuity, hinder forensic review, and make unexpected behavior difficult to attribute or recover from.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal