Back to skill

Security audit

MILKEE Swiss Accounting

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real MILKEE accounting integration, but it needs Review because its documentation exposes realistic API-token examples and encourages plaintext credential setup for a high-impact business account.

Install only if you trust the publisher and are comfortable letting the skill read and modify MILKEE business data. Do not reuse or copy the example tokens; store your real token outside source control, restrict access to any config file that contains it, and rotate any token that may have been pasted into docs, chat, logs, or screenshots. Review create/update and stop_timer actions carefully because they can change accounting records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and operationally relies on environment variables, local file persistence, and outbound network access, but it does not declare corresponding permissions in the skill metadata. This creates a transparency and governance gap: users and platforms may authorize or review the skill under the false assumption that it has fewer capabilities than it actually uses, increasing the risk of unnoticed data access or exfiltration.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The guide gives contradictory security advice: it recommends environment variables while earlier instructing users to place long-lived API credentials in a persistent JSON config file. In an installation context for an accounting integration, this increases the chance that sensitive business credentials are stored in plaintext on disk, copied into backups, or accidentally committed or shared.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The documentation includes a concrete bearer token in an authentication example that appears structurally valid and potentially usable. Even if intended as a sample, publishing realistic credentials in skill reference material risks accidental use, secret leakage, or exposure of an active account, which is unnecessary for an accounting integration that handles potentially sensitive business data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document includes a real-looking API token example with a plausible user ID and key format, but does not prominently state that it is fictitious and must never be reused. Readers may mistakenly treat it as safe to share similar values in screenshots, docs, tickets, or repositories, normalizing exposure of credentials for a financial/accounting service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The configuration example tells users to store the MILKEE API token directly in a JSON file under the user's home directory, with no nearby warning about secret exposure risks. Because this skill integrates with Swiss accounting/time-tracking data, compromise of the token could allow unauthorized access to project, customer, and time-entry information and may expose sensitive business records.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README tells users to place MILKEE API credentials directly into a local JSON configuration file but provides no warning about protecting secrets, avoiding commits, or using safer secret-loading mechanisms. This increases the chance that long-lived API tokens are stored insecurely, leaked via shell history, backups, screenshots, or accidentally committed to version control, enabling unauthorized access to accounting and time-tracking data.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill instructs users to configure API credentials and mentions a local timer file, but it does not clearly disclose that customer, project, task, and time-entry data will be sent to a third-party service and that timer state will persist on disk. In an accounting/time-tracking context, this can expose sensitive business metadata and work descriptions without adequate user awareness, especially on shared machines or regulated environments.

Missing User Warnings

High
Confidence
99% confidence
Finding
The authentication section exposes a concrete bearer credential example without labeling it as fake or warning against using real secrets. In the context of a MILKEE accounting/time-tracking integration, such a token could enable unauthorized access to customer, project, task, product, and time-entry data if valid, making the exposure especially sensitive.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The script writes timer metadata, including project name, project ID, work description, and start time, to a predictable file in the user's home directory without setting restrictive permissions or validating existing file state. On multi-user systems or when home-directory permissions/symlink attacks are relevant, this can expose potentially sensitive work metadata or allow unintended file overwrite behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.