Rapprochement paiements

Security checks across malware telemetry and agentic risk

Overview

The skill’s accounting purpose is coherent, but it should be reviewed because it automatically creates persistent plaintext copies and caches of sensitive bank and invoice contents beyond the main disclosed outputs.

Install only if you are comfortable with local plaintext transcriptions and extraction caches being created beside accounting documents. Run it on a controlled copy or secured accounting workspace, review generated .md and .extract.json files, and establish cleanup/retention rules for bank statements, invoices, and expense records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code writes full extracted PDF contents to adjacent `.md` files automatically and silently. In this skill's context, the PDFs are accounting documents and bank statements that commonly contain sensitive personal and financial data, so creating additional plaintext copies increases exposure, persistence, and accidental disclosure risk beyond the original source files.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal