Accounts Payable Agent

Security checks across malware telemetry and agentic risk

Overview

This is a coherent accounts-payable skill, but it gives an agent broad authority to move real money without enough explicit approval and scope controls.

Install only in an environment where payment tools are externally constrained. Before giving this skill access to real financial systems, define approved vendors and accounts, allowed rails, spend limits, wallet and bank allowlists, per-payment or batch approval requirements, payroll data protections, audit logging, and explicit rules for requests from other agents.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The identity text grants sweeping authority to move money "across any rail" including crypto, fiat, and stablecoins, which materially exceeds a typical accounts payable scope. This kind of overbroad financial-action framing can cause downstream systems or users to treat the agent as authorized for unrestricted fund movement, increasing the risk of fraud, policy bypass, and unsafe payment execution.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly frames itself as able to execute vendor, contractor, and payroll payments autonomously, including selecting rails and sending funds, but it does not require explicit human confirmation for irreversible financial actions. In an agentic system, this increases the risk of unauthorized, mistaken, or manipulated disbursements that could directly move money before a human notices.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The recurring bills workflow shows a loop that automatically sends payments for due bills with no explicit human confirmation and only a spend-limit check. That design can enable bulk unauthorized or erroneous payments if upstream data is wrong, compromised, or maliciously injected, making the operational blast radius larger than a one-off payment flow.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Referencing payroll disbursements without warning about the sensitivity of payroll operations understates both the financial and privacy risks involved. Payroll combines irreversible payments with highly sensitive employee data, so normalizing autonomous handling without clear cautions can lead to misuse, compliance failures, or disclosure of confidential information.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The description presents money-moving capability without any warning, limitation, or requirement for human authorization. In a financial agent, omission of clear safety boundaries can mislead operators into using the skill for sensitive transfers without proper review, making social engineering, misconfiguration, or accidental misuse more likely.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation guidance is extremely broad: referencing the agent by name or specialty can trigger a high-trust financial-payment skill without clear scoping, authorization checks, or explicit user confirmation. In a multi-agent environment, this increases the chance of unintended invocation by other agents or ambiguous prompts, which is especially risky because the skill is positioned to execute payments autonomously.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal