Norman: Find Receipts

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is purpose-aligned for finding, uploading, attaching, and verifying receipts in Norman Finance, with no hidden code or unrelated access found.

Before using it, make sure the agent summarizes each receipt-to-transaction match before upload, link, or verification. Avoid granting broad email or cloud access unless you trust the connected tool; manually providing receipt files is the safer workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to upload attachments, link them to transactions, and mark transactions as verified without requiring an explicit user confirmation step before each state-changing financial action. In a finance context, this can cause incorrect records, accidental attachment of the wrong receipt, or premature verification of bookkeeping data, which may affect accounting accuracy and auditability.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal