Back to skill

Security audit

piaoin-invoice

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-aligned for Piaoin invoice syncing, but it needs review because it asks users to share an invoice API key in chat and stores that key and financial records locally in plaintext.

Install only if you are comfortable giving the agent access to your Piaoin invoice account and local invoice files. Prefer setting the API key through a local environment variable or secure secret store instead of pasting it into chat, add .piaoin_evn and piaoin_invoice/ to .gitignore, and use tenant-wide downloads only when you are an authorized tenant administrator.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill clearly directs use of network access, local file reads/writes, environment variables, and shell commands, yet no explicit permission declaration is present. This creates a transparency and governance gap: an agent may perform sensitive actions such as downloading invoices, writing state files, and handling API keys without an upfront permission model or user review boundary.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill exposes an `upload-url` command that accepts arbitrary `http`/`https` URLs and forwards them to the remote invoice API, which expands capability beyond local-file upload into brokered remote fetches. This can enable unintended access to internal or sensitive URLs by the upstream service, and it weakens the user's expectation that only local files are handled.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs storing a long-lived API key in a local plaintext `.piaoin_evn` file, but does not prominently warn about credential theft risk, file permission hardening, or safer alternatives. Because the same file also stores runtime metadata and sync state, it is likely to remain in the project directory where it could be accidentally committed, shared, or read by other local processes.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The skill tells the user to copy a newly created one-time API key and send it back to the agent, without any privacy or session-boundary warning. Sending secrets through chat increases exposure to logging, retention, model-context leakage, or accidental disclosure to other participants and systems handling conversation transcripts.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The default prompt invites use of the skill in a very broad way ('download my latest invoice, or upload local invoice files') without any visible trigger constraints, confirmation steps, or scope limitations. For a skill that can access remote invoice data and local files, this increases the chance of unintended invocation, overbroad file access, or actions on sensitive financial documents from ambiguous user phrasing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to ask the user to copy and send the PAT API key in chat, but does not include any warning that the secret should only be shared through a secure channel or handled as sensitive credential material. API keys grant direct access to invoice data and upload operations, so collecting them in conversation increases the risk of secret exposure through chat logs, prompt history, or accidental disclosure.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The `config` command stores the API key in a project-local `.piaoin_evn` file with no warning, permission hardening, or preference for more secure secret storage. On multi-user systems or in shared repositories, this creates a realistic risk of credential disclosure through filesystem access, backups, or accidental commits.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The download workflow writes invoice files, JSONL metadata, and markdown summaries containing invoice details to local disk without an explicit warning or consent prompt about persistent storage of sensitive financial data. Because invoice data commonly includes PII and financial records, silent storage increases the chance of privacy leaks, accidental syncing, or exposure to other local users/processes.

Ssd 3

Medium
Confidence
99% confidence
Finding
Requesting a one-time API secret directly in chat is especially dangerous because the key is only shown once and becomes immediately usable for invoice access and uploads. In this skill's context, the secret grants access to sensitive financial records across potentially broad scopes, making chat-based collection an unnecessary credential exfiltration pattern.

Ssd 3

High
Confidence
99% confidence
Finding
This is a stronger secret-handling issue: the document tells the agent to have the user directly provide the API key in chat and then write it to a local state file or use it in requests. Because the key authorizes access to potentially sensitive enterprise invoice data across tenant scopes, disclosure in chat or insecure local storage can enable unauthorized data access, invoice upload abuse, or broader compromise of financial records.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/pat-api.md:11

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:97