Xero Cli

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real Xero CLI, but it grants broad accounting write access and stores reusable OAuth tokens locally in plaintext.

Review before installing for a production Xero organization. Use a test tenant first, limit the Xero app scopes where possible, protect or delete data/tokens.json after use, run auth logout and revoke the Xero app if access is no longer needed, and require explicit human review before commands that create, authorize, void, delete, allocate, reconcile, or attach financial records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares required environment variables in metadata but does not declare explicit permissions, creating a mismatch between the skill's documented capabilities and its permission model. In practice, this can lead to over-trust by users or orchestration systems, because the skill accesses sensitive Xero credentials and can perform financial actions without a clearly declared permission surface.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code persists the full OAuth TokenSet, likely including access and refresh tokens, to a JSON file on disk in plaintext with no encryption, permission hardening, or secure storage mechanism. If the local filesystem is accessible to another user, process, backup system, or malware, an attacker could recover the tokens and gain unauthorized access to the connected Xero tenant until expiry or revocation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The `delete` command performs a destructive payment deletion immediately after receiving a payment ID, with no confirmation prompt, dry-run mode, or explicit safeguard. In an accounting context, accidental or scripted invocation can void legitimate payments and compromise financial records, especially because the CLI is designed to manage real Xero data.

Unpinned Dependencies

Low

Category: Supply Chain
Content: "private": true, "type": "module", "dependencies": { "commander": "^12.1.0", "express": "^4.21.0", "open": "^10.1.0", "xero-node": "^9.3.0"
Confidence: 95% confidence
Finding: "commander": "^12.1.0"

Unpinned Dependencies

Low

Category: Supply Chain
Content: "type": "module", "dependencies": { "commander": "^12.1.0", "express": "^4.21.0", "open": "^10.1.0", "xero-node": "^9.3.0" }
Confidence: 95% confidence
Finding: "express": "^4.21.0"

Unpinned Dependencies

Low

Category: Supply Chain
Content: "dependencies": { "commander": "^12.1.0", "express": "^4.21.0", "open": "^10.1.0", "xero-node": "^9.3.0" } }
Confidence: 94% confidence
Finding: "open": "^10.1.0"

Unpinned Dependencies

Low

Category: Supply Chain
Content: "commander": "^12.1.0", "express": "^4.21.0", "open": "^10.1.0", "xero-node": "^9.3.0" } }
Confidence: 95% confidence
Finding: "xero-node": "^9.3.0"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal