基金月报信息提取

Security checks across malware telemetry and agentic risk

Overview

This looks like a local fund-report PDF-to-Excel tool, but it needs Review because it can process sensitive financial files and write spreadsheets without strong user confirmation.

Install only if you are comfortable giving it access to the selected fund PDFs and Excel templates. Use a dedicated folder containing only intended files, require an explicit final confirmation before processing, verify output paths before writing, and manually review generated financial data for OCR or mapping errors.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises file scanning and Excel generation, which implies file read/write capabilities, but it does not declare permissions or warn the user about those operations. Missing permission disclosure weakens user consent and reviewability, especially because the skill can access local files and create outputs on disk.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior significantly overstates what the skill actually does, including claims of automatic template learning, broader extraction coverage, batch folder handling, and generating two Excel outputs. This mismatch is dangerous because users may grant access to sensitive financial documents under false assumptions about processing scope, output handling, and reliability.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: Using a generic trigger phrase like "好了" can cause accidental activation during normal conversation, potentially starting file processing earlier than the user intended. In a skill that reads PDFs and writes Excel outputs, ambiguous activation increases the chance of unintended processing of local or uploaded data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill describes batch folder processing without warning that it will scan local directories and generate files. This is risky because users may expose unrelated sensitive documents in the folder or unintentionally allow broader filesystem access than expected.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly states that it will generate and save Excel files to a local folder or a remote outbound directory, but it does not require a clear user confirmation immediately before writing. In an agent setting, undocumented file-creation side effects can lead to unintended data persistence, accidental overwrites, or sensitive extracted fund data being written to locations the user did not expect.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: Using the single word "处理" as a start trigger is too broad in a chat workflow because it can appear in ordinary conversation, clarification, or quoted text. That makes unintended processing of uploaded financial documents more likely, especially in a multi-file flow where premature execution can produce incomplete outputs or process files before the user is ready.

Vague Triggers

High

Confidence: 98% confidence
Finding: Starting processing on any non-file message is an overly broad activation condition that can be triggered by casual questions, corrections, or unrelated chat. In this skill, that is more dangerous because the content involves user-uploaded PDFs and Excel templates containing financial data, so accidental autonomous processing can act on sensitive data without clear consent or with an incomplete file set.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: Automatically starting after 30 seconds of inactivity is ambiguous because silence does not reliably indicate user consent or completion of uploads. In a batch-upload workflow for monthly fund reports, network delay, user hesitation, or staggered uploads can easily cause premature execution on partial or unintended inputs.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill proposes autonomous processing of uploaded files after inactivity without sufficiently clear, up-front consent and warning. Because the skill handles financial report PDFs and Excel templates, this creates a meaningful privacy and integrity risk: users may not realize their data will be processed automatically, and the workflow may execute on incomplete or unintended files.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The rule requires full-page OCR on every page, which will capture all visible content in the PDF image layer rather than only the fields necessary for the fund-report workflow. That creates an avoidable over-collection risk: incidental sensitive data, embedded screenshots, signatures, contact details, or other visible content may be processed without explicit user warning, consent, or scoping controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal