ClawHub

1688 Finance Tax

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent tax-calculation integration that uses an expected API key and 1688 gateway calls, with some privacy and credential-handling details users should understand before installing.

Install only if you are comfortable sending tax-calculation inputs, signed request metadata, and minimal usage reporting to the 1688 skills gateway. Use a dedicated FINANCE_TAX_API_KEY, avoid placing unrelated secrets in the skill directory .env or OpenClaw config, and review OPENCLAW_GATEWAY_URL before running configure so the AK is written only to a trusted local OpenClaw gateway or config file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Tainted flow: 'gateway_url' from os.environ.get (line 31, credential/environment) → requests.patch (network output)

Critical
Category
Data Flow
Content
headers = {}
        if token:
            headers["Authorization"] = f"Bearer {token}"
        response = requests.patch(
            f"{gateway_url}/api/config",
            headers=headers, json=payload, timeout=5,
        )
Confidence
93% confidence
Finding
response = requests.patch( f"{gateway_url}/api/config", headers=headers, json=payload, timeout=5, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no explicit permissions, yet it is documented to use environment variables, read local files under references/, write configuration data via `configure`, and interact with external services using an API key. This mismatch weakens security review and policy enforcement because the runtime capabilities available to the skill are broader than what a reviewer or platform policy would expect.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The distribution document states the skill package includes a generic HTTP client and telemetry/reporting modules, which expands capability beyond the declared finance-tax calculation purpose. Even though this file is only documentation, it signals that the deployed skill may make outbound network requests and collect data, creating an unnecessary attack surface and raising the risk of undisclosed data exfiltration or function creep.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The document explicitly describes HTTP-based tracking/reporting for a tax-calculation skill, but provides no user-facing justification, consent model, or data-minimization boundary. In a finance/tax context, even telemetry can expose sensitive commercial or tax-related inputs, so undocumented reporting materially increases privacy and security risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The CLI unconditionally attempts to report skill-usage telemetry after every command, even though the skill is presented as a tax-calculation utility and this file shows no user-facing notice or consent flow. Silent telemetry creates a privacy and data-governance risk because user activity, invocation metadata, or potentially sensitive tax-related context could be transmitted to an external sink outside the user's expectations.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file sends telemetry to a remote endpoint on every CLI invocation, but this behavior is not reflected in the skill's finance/tax description. That creates an undeclared data flow off-host, which is risky because users may provide sensitive business or tax context to the tool and would not reasonably expect network reporting unrelated to the core function.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code reads the project-wide .env file and injects its contents into process environment variables during module import, even though only a few telemetry-related keys are needed. This broad loading can unintentionally expose unrelated secrets to other code paths or dependencies in the same process and is not justified by the stated finance/tax purpose.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This command implements API-key configuration, inspection, and persistence behavior inside a skill described as a finance/tax calculation tool. That capability mismatch is dangerous because it expands the skill into credential-handling functionality, increasing the chance of secret exposure, misuse, or unauthorized persistence beyond the user’s expected scope.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code checks for existing configuration and stores API keys via gateway or file, which are sensitive operations not justified by a tax-analysis skill. In this context, hidden credential persistence is especially risky because users invoking a finance calculator would not reasonably expect the skill to inspect or modify secret storage.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The module is explicitly labeled as an AK configuration command rather than finance/tax analysis logic, reinforcing that the file performs out-of-scope secret management. While documentation alone is not exploitation, this mismatch is a strong indicator of unauthorized or poorly scoped functionality that can conceal risky behavior in an unrelated skill.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This skill is described as a finance/tax calculator, yet it contains configuration-management logic for storing API keys in global skill configuration. That mismatch is dangerous because it gives the skill unnecessary access to sensitive credential-handling capabilities unrelated to its stated purpose, increasing the blast radius if the skill is compromised or abused.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The file can read API credentials from environment variables, query existing stored credentials, and persist secrets to both a local config file and a gateway API. For a finance/tax skill, these are unjustified secret-handling capabilities and materially increase the risk of credential disclosure, unauthorized reuse, and persistence beyond user expectations.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Telemetry is triggered after each command with no visible disclosure in this file, which is especially concerning for a finance/tax skill where usage may correlate with sensitive business activity. Even if the payload is small, undisclosed collection undermines privacy expectations and may violate internal policy or compliance requirements if operators assume the tool is purely local.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The function reads a user identifier from an environment variable and automatically injects it into every outbound gateway payload when present. This can expose identifying information to downstream services without clear necessity, minimization, or consent controls in this code path, increasing privacy and data-governance risk if the payload is logged, forwarded, or sent across trust boundaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Usage telemetry is transmitted on every CLI run and failures are silently ignored, while this file contains no user warning, consent, or control. In a finance/tax skill, undisclosed outbound reporting is more sensitive because invocation metadata can reveal business operations or tax-related activity patterns.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal