copilot-money
Warn
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user or agent to install an external Python package
copilot-money-clifrom an unverified source. This dependency is required for all of the skill's functionality. - [CREDENTIALS_UNSAFE]: The skill documentation describes a process where the CLI tool automatically extracts sensitive authentication refresh tokens from the user's browser IndexedDB storage (supporting Chrome, Safari, Firefox, and Arc). While intended for local authentication, this mechanism involves high-risk access to sensitive browser-managed session data.
- [DATA_EXFILTRATION]: The skill provides the agent with the ability to query and retrieve highly sensitive personal financial information, including account balances, transaction records, net worth, and investment asset allocations.
- [COMMAND_EXECUTION]: The skill operates by executing shell commands that interact with the local filesystem (storing configuration in
~/.config/copilot-money/config.json) and external network APIs to fetch financial data. - [PROMPT_INJECTION]: The skill exposes a surface for indirect prompt injection by processing untrusted data from external sources.
- Ingestion points: The
copilot-money transactionscommand ingests transaction descriptions and memos from external financial institutions. - Boundary markers: The instructions lack specific boundary markers or instructions to treat transaction data as untrusted content.
- Capability inventory: The agent has permissions to execute arbitrary shell commands and read/write local files, which could be exploited if a malicious transaction description influences the agent's logic.
- Sanitization: There is no evidence of sanitization, filtering, or validation of the retrieved financial data before it is presented to the agent.
Audit Metadata