ClawHub

Tally Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a real local TallyPrime accounting helper, but it gives agents broad live-accounting powers and includes runtime package and system installation steps users should review before installing.

Install only for a supervised local TallyPrime workflow. Keep TALLY_URL pointed to a trusted local instance, do not let the agent install or upgrade npm/OS packages without administrator approval, and require explicit review before any broad export, custom TDL query, master creation, voucher post/alter/cancel, or company setup action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as operating against a local TallyPrime instance, but its documented PDF workflow can reach the public npm registry and install or upgrade packages at runtime. That expands the trust boundary from purely local accounting automation to arbitrary network/package-supply-chain activity, which could surprise users and enable execution of unreviewed code during a normal skill run.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill includes instructions to install OS packages, Playwright browsers, and system dependencies unrelated to basic local Tally XML posting. In an agent setting, these are high-impact host modification actions that can alter the environment, increase attack surface, and normalize privileged package installation from a workflow that users may expect to be limited to accounting tasks.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest/description says the skill is for local Tally accounting over XML-over-HTTP, but the file also enables PDF generation from user text via `tallyca`, a distinct capability that creates files and may trigger package-management behavior. This mismatch weakens informed consent and can cause the agent to perform file-generation tasks users or reviewers did not expect from the declared scope.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says it should read reports and post/update vouchers, but this file also enables creation and alteration of masters such as groups and ledgers. That expands the effective authority of the skill beyond its declared scope, which can let an agent modify accounting structure and tax configuration in ways a user may not expect.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The new-company setup section instructs the agent to create multiple GST and purchase ledgers automatically, which is outside the stated report/voucher-focused purpose. In an accounting environment, silent setup of tax ledgers can materially affect bookkeeping and tax treatment, making this a scope-expansion risk rather than harmless documentation.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This section broadens the skill from predefined accounting exports into arbitrary company enumeration and custom TDL-backed report creation. That materially increases capability and attack surface, because TDL can be used to query additional data structures and expose information beyond the narrowly described CA workflow, especially in multi-company environments.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Providing a generic pattern for injecting full TDL Report/Form/Part/Line/Field/Collection definitions gives the skill a flexible mechanism to issue custom queries against Tally, which can bypass intended feature boundaries. In a security context, documentation that normalizes arbitrary TDL payloads makes it easier for an agent or prompt attacker to repurpose the skill for unintended data discovery or extraction.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation guidance is broad enough to trigger on generic mentions of Tally, invoices, GST, returns, or financial statements, which can cause the skill to activate without clear user intent for local accounting automation or posting. In this skill, broad activation is more dangerous because the capability includes write operations to accounting data and host-side file/tool actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Exporting the full 'List of Accounts' can disclose sensitive company master data, including customer/vendor ledger names and financial structure, and the guidance does not mention minimization or sensitivity. Telling an agent to fetch the entire list just to check whether one ledger exists creates unnecessary data exposure.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The documentation instructs sending accounting and GST data over HTTP to a configurable endpoint without any warning about the sensitivity of the transmitted financial data or the trust boundary of that endpoint. Even if Tally is intended to run locally, missing guidance can lead operators to expose or forward highly sensitive business records to non-local, unencrypted, or untrusted destinations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal