Security audit

银行流水对账虾

Security checks across malware telemetry and agentic risk

Overview

This is a local bank-reconciliation helper with a privacy caution: its preview command can show raw financial rows despite documentation suggesting masking.

Install only if you need local bank/order/invoice reconciliation. Avoid using the preview command on highly sensitive files unless you are comfortable with raw rows appearing in the terminal or agent transcript, and review generated reports before sharing or exporting them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The preview command prints the first five rows of uploaded financial files directly to stdout, which can expose bank account numbers, names, phone numbers, invoice data, and transaction details in plaintext. In the context of a finance reconciliation skill handling highly sensitive records, console output may be captured in terminal history, logs, screenshots, remote session recordings, or agent transcripts, increasing the likelihood of unintended data disclosure.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.