Back to skill

Security audit

Organisation Documents

Security checks across malware telemetry and agentic risk

Overview

This accounting document skill is mostly purpose-aligned, but it asks to automatically process sensitive emails/files and persist client records without enough scoping or user control.

Review before installing. Use only with a dedicated accounting inbox/workspace, require confirmation for bulk or ambiguous processing, avoid granting Gmail/Drive/password-manager access unless tightly scoped, and disable or remove external company lookup unless users explicitly approve sending identifiers to the public company API.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The skill repeatedly states that only the script should maintain classification state, but the onboarding flow instructs the agent to manually edit clients.json. That contradiction undermines integrity guarantees, creates a path for inconsistent or malformed state, and makes it easier for an agent or prompt injection to justify unauthorized writes to a sensitive registry.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The document creates a contradiction between the claimed behavior ('no field is guessed manually') and the actual contract, which explicitly allows inferring the client from sender, subject, date, and email body. In this skill context, that inference can misclassify accounting documents across tenants/clients, causing confidentiality breaches, incorrect filing, and downstream accounting errors if weakly validated metadata is trusted.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The script adds company-enrichment functionality that goes beyond the manifest's stated purpose of organizing accounting documents. In this skill, which is configured to run automatically and without user approval on incoming emails and files, that scope expansion increases the chance of unauthorized data processing and unexpected external lookups tied to sensitive accounting workflows.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code performs outbound requests to a public company API based on user-supplied names or identifiers, but that network access is not clearly necessary for document classification. In the broader skill context, which mandates automatic invocation on accounting emails and attachments, this can leak business-sensitive names, identifiers, and workflow metadata to a third party without clear user awareness or approval.

Vague Triggers

High
Confidence
90% confidence
Finding
The skill requires automatic invocation without asking permission for a very broad set of routine events, including any email with common accounting keywords or any file deposited in the inbox. In a security context, this greatly expands the attack surface for prompt-triggered processing of untrusted content and can cause unintended execution on malicious or irrelevant documents.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.