Invoice Gen

Security checks across malware telemetry and agentic risk

Overview

This is a local invoice PDF generator whose script behavior matches its stated purpose and shows no hidden data access, network transfer, or persistence.

Install dependencies deliberately, preferably in a virtual environment, and review the invoice fields and output filename before running because the PDF may contain client or business details and can overwrite an existing file at the selected path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The invocation guidance is very broad: 'Generate an invoice for:' and 'The agent will use this skill' do not clearly constrain when the skill should trigger. In an agent environment, ambiguous triggers can cause unintended activation on loosely related prompts, increasing the chance of mishandling user data or generating documents from incomplete or attacker-supplied content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal