Invoice Generator

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local invoice HTML generator, with a minor privacy caveat that the template loads a Google Font when opened.

Safe to install for local invoice generation. Review invoice totals and payment details before sharing, remove or block the Google Fonts link if you need a fully offline/private document, and do not paste untrusted HTML into invoice fields.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The template fetches a Google Fonts stylesheet from an external domain, which means the generated invoice is not actually self-contained and will make a network request when opened. This can leak metadata such as IP address, access timing, and document usage to a third party, and it also creates reliability and privacy issues in offline or restricted environments.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The manifest promises a single self-contained HTML invoice, but the template includes an external resource, creating a mismatch between documented and actual behavior. This is dangerous because users may open sensitive invoice documents assuming no external communication occurs, when in fact the browser may contact a third party.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal