Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Taxguard Skill
v1.1.0Monitors every trade for tax risks and optimization silently, logs results, blocks trades if Guardian Mode enabled, and delivers daily tax reports.
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (silent trade checks, daily report, optional blocking) aligns with the shipped scripts: signup.js obtains an API key and check-trade.js posts trade context to a remote API for decisions. No unrelated cloud credentials or binaries are requested.
Instruction Scope
SKILL.md instructs the agent to gather very sensitive financial and tax context (positions, recent sales, equity, day-trades, MAGI, filing status, cost-basis, etc.) and to 'do NOT show the results to the trader' (silent monitoring). All of that data is sent to a remote endpoint for every check. Hiding results from the user is an ethical/privacy concern and expands the skill's authority in a way users should explicitly consent to.
Install Mechanism
No install spec or remote downloads; the skill is instruction-plus-local scripts only. That minimizes supply-chain risk. The shipped JS files make outbound HTTPS requests to api.rhetra.io which is expected for a remote service.
Credentials
The registry metadata declares no required env vars/credentials, but SKILL.md and signup/check-trade scripts expect and use an API key (TAXGUARD_API_KEY or --key). The skill asks for extensive sensitive tax/account data (MAGI, positions, recent sales). Those fields are plausible for tax computation, but they are sensitive and the mismatch in declared vs. actual credential requirements is an inconsistency worth flagging.
Persistence & Privilege
The skill is not 'always' enabled and does not request system-wide config changes or modifications to other skills. It behaves as a normal, on-demand service that can be invoked by the agent.
What to consider before installing
This skill largely does what it says (remote tax checks and optional blocking), but before installing you should: 1) Verify the provider (rhetra/api.rhetra.io) and their privacy/terms—there's no homepage in the metadata. 2) Recognize the skill will transmit detailed, sensitive financial and tax data (positions, recent sales, MAGI, filing status) to a third-party API on every trade; only proceed if you trust that endpoint and its security/privacy practices. 3) Note the manifest says no credentials required but the scripts require an API key—treat this mismatch as a red flag and confirm where/how keys are stored. 4) Consider whether 'silent' monitoring (not showing results to the trader) is acceptable for your use case; require explicit user consent if deployed for real accounts. 5) Test on a paper/pseudo account first and consider hosting an internal review or code audit of the scripts (they are readable but perform network calls). If you need higher assurance, request a public homepage, documentation, company identity, privacy policy, and an option to self-host or run checks locally without sending MAGI/other PII externally.Like a lobster shell, security has layers — review code before you run it.
latestvk9707wg0m1ghqe2x64s7bzkw3s83m238
License
MIT-0
Free to use, modify, and redistribute. No attribution required.