Stripe Analytics

Security checks across malware telemetry and agentic risk

Overview

This skill is a read-only Stripe analytics tool, but it can expose sensitive revenue and customer data through broad text and voice triggers.

Review before installing. Use only a restricted read-only Stripe key, prefer explicit slash commands, and avoid enabling this skill in shared or voice-driven agents unless the platform requires confirmation before fetching or speaking Stripe data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: Broad trigger phrases like 'Stripe metrics' or 'business dashboard' can cause the skill to activate in conversations where the user did not intend to invoke it. In a finance context, accidental invocation can expose sensitive billing analytics or cause an agent to pull and summarize customer revenue data without sufficiently clear user intent.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The voice triggers are highly generic ('Business dashboard', 'Hey, Stripe numbers?') and lack authentication or contextual constraints, which raises the chance of unintended activation from ambient speech or ambiguous requests. Because the skill accesses potentially sensitive financial and customer data, accidental voice-based invocation is more dangerous than it would be for a low-sensitivity utility skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal