Trust Assessment
copilot-money received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Skill accesses browser IndexedDB for authentication tokens, Unpinned `pip` dependency allows supply chain attacks, Skill requires broad command execution for sensitive financial operations.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill accesses browser IndexedDB for authentication tokens The skill describes a CLI tool (`copilot-money-cli`) that, when initialized, directly accesses the user's browser (IndexedDB on macOS) to extract a Copilot Money session token. While the skill states this happens locally and data is only sent to Copilot Money's API, this capability represents a critical security risk. If the `copilot-money-cli` package is compromised or malicious, it could exfiltrate these highly sensitive authentication tokens, leading to unauthorized access to the user's financial data. An AI agent executing this skill would be performing this sensitive operation. Agents should be extremely cautious about executing tools that directly access browser storage for credentials. If this functionality is deemed necessary, it must be performed in a highly isolated and sandboxed environment, with explicit user consent and clear warnings about the risks. Consider requiring manual token entry (`--source manual`) as the default or only option for agent-driven use to mitigate this risk. | LLM | SKILL.md:42 | |
| HIGH | Unpinned `pip` dependency allows supply chain attacks The installation instruction `pip install copilot-money-cli` does not specify a version. This means that any future installation or update could pull the latest version of the package, which could potentially be compromised or malicious. This lack of version pinning creates a significant supply chain risk, as an attacker could publish a malicious update to the `copilot-money-cli` package, which would then be automatically installed and executed by users or agents. Pin the dependency to a specific, known-good version (e.g., `pip install copilot-money-cli==X.Y.Z`). Implement regular auditing and updating of pinned dependencies to ensure security patches are applied while maintaining control over the installed version. | LLM | SKILL.md:16 | |
| MEDIUM | Skill requires broad command execution for sensitive financial operations The skill describes a command-line interface (CLI) for managing personal finance data, including accounts, transactions, and net worth. An AI agent utilizing this skill would need the capability to execute arbitrary shell commands (e.g., `copilot-money refresh`, `copilot-money accounts`). Granting an AI agent broad command execution permissions, especially for tools handling sensitive financial information, introduces a significant attack surface. Malicious user input or a compromised agent could potentially leverage these permissions for unintended operations or data manipulation. Implement strict sandboxing and least-privilege principles for any AI agent executing external commands. Ensure that all arguments passed to `copilot-money` commands are thoroughly validated and sanitized to prevent command injection. Consider limiting the specific `copilot-money` subcommands an agent can execute to only those strictly necessary for its function. | LLM | SKILL.md:24 |
Scan History
Embed Code
[](https://skillshield.io/report/7542949e79fd472b)
Powered by SkillShield