Security audit

支出预警管控虾

Security checks across malware telemetry and agentic risk

Overview

This budget-alert skill appears to be an advisory CSV/reporting helper, but users should not treat its red-light results as actual enforced spending blocks.

Install only if you want an advisory budget-checking workflow. Treat red/yellow/green results as recommendations unless you separately wire them into a real approval system with human review, audit logs, and explicit fail-closed behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The documentation promises that over-budget spend will be 'immediately blocked' and approval will be escalated, but later states automatic approval-flow support is not implemented. In a financial-control skill, this mismatch can cause operators to rely on non-existent enforcement, allowing overspend or policy bypass because users believe the system is actively blocking requests when it is only advisory.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.