Back to skill

Security audit

Treeline Money

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Treeline Money helper that reads local finance data and discloses the higher-impact actions that require user confirmation.

Install only if you are comfortable letting Treeline CLI read your local finance database. Review and explicitly approve any sync, import, restore, tagging, demo-mode change, write-enabled SQL, or saved user skill, and avoid saving secrets or overly sensitive details in reusable skill files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as a finance chat/query tool, but it also documents multiple state-changing operations such as sync, import, restore, tagging, compaction, and toggling demo mode. Even though it says to ask the user first, this expands the operational scope beyond passive querying and can lead an agent to modify financial data or local state in ways a user may not expect from the description alone.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill description says it chats with finances, but the documentation also instructs the agent to create persistent user skills by writing files under the user's home directory. That is a materially different capability from financial querying and introduces local file modification and persistence not disclosed in the top-level purpose.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Allowing the agent to create arbitrary user skills on disk is not necessary for answering finance questions and creates a persistence mechanism that can outlive the current session. In context, this broadens the attack surface from finance analysis to durable local configuration/content injection.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instruction to write `SKILL.md` into `~/.treeline/skills/<name>/SKILL.md` directs the agent to modify local files without a prominent user-facing warning at the point of action. Because this creates persistent content in the user's home directory, it can surprise users and may be abused to leave durable instructions for future agent runs.

Session Persistence

Medium
Category
Rogue Agent
Content
Treeline supports user-created skills for personal financial knowledge. Use `tl skills list --json` to discover existing skills and `tl skills read <path>` to read them.

**Creating skills:** When you learn something reusable about the user's finances — tag conventions, account meanings, tax categories, budget targets — ask if they'd like to save it as a skill for future conversations. To create one, write a SKILL.md file to `~/.treeline/skills/<name>/SKILL.md` (use `tl skills path` to get the directory). Follow the Agent Skills standard (agentskills.io).

---
Confidence
94% confidence
Finding
create one, write a SKILL.md file to `~/.treeline

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.