Receipt OCR Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local receipt-to-CSV OCR helper, with the main caution that it saves receipt data to a local CSV file.

Install only if you are comfortable running a local Python OCR script on receipt images. Run it in a directory where overwriting expenses.csv is acceptable, and review or redact OCR results before sharing them or importing them into Google Sheets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases such as "scan receipt Pixel" and especially "OCR expense CSV" / "track business receipt" are broad enough to overlap with ordinary user requests. Ambiguous invocation scope can cause the skill to activate unexpectedly on unrelated receipt, expense, or OCR tasks, leading to unintended processing of sensitive financial documents or execution of associated workflow steps.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill processes receipts, which commonly contain personal and financial data such as merchant details, dates, totals, tax amounts, and potentially partial payment information, yet it provides no warning about sensitive-data exposure. Because outputs are written to local files and prepared for Google Sheets, users may unknowingly persist or share confidential expense data beyond the original receipt image.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal