AutoCount

Security checks across malware telemetry and agentic risk

Overview

This instruction-only AutoCount skill is purpose-aligned but can create, update, cancel, or delete real business documents, so users should use drafts or test data unless they intentionally approve production changes.

Install only if you want an agent helping with AutoCount business documents. Use least-privilege API keys, prefer a test company or draft mode, avoid exposing keys over untrusted HTTP networks, and require explicit approval before final posting, transfers, updates, cancellations, or deletions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The notes document repeated successful live creation of sales invoices, goods received notes, and purchase invoices against a real AutoCount API, but they do not include safeguards, warnings, or instructions to restrict testing to sandbox data. In a skill designed to automate business document creation, this context makes the omission risky because users or downstream agents may reproduce these steps against production systems and unintentionally create financial or inventory records.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal