DeepRead Invoice Processing

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only DeepRead invoice-processing skill that discloses sending user-selected documents to an external API, with privacy considerations but no hidden code or persistence found.

Install only if you are authorized to send invoices, receipts, or bills to DeepRead and any configured BYOK model provider. Review vendor privacy, retention, data residency, and compliance terms first, and prefer redacted or non-sensitive test documents before processing real financial records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs users to upload invoices, receipts, and bills to a third-party API, but it does not provide a clear privacy/security warning about transmitting potentially sensitive financial and personal data off-platform. Because invoices commonly contain names, addresses, account details, tax IDs, and payment information, lack of prominent disclosure can lead to unintended data exposure and policy noncompliance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal