Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Nalog Ru
v1.0.2Рассчитай налог УСН 6%, НПД для самозанятых и страховые взносы ИП по введённым доходам и периоду.
⭐ 0· 353·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The declared purpose is to calculate taxes for IP and self-employed users. However, SKILL.md includes an 'Attribution' section that instructs the agent to execute python3 commands to read and update a file at /home/node/.openclaw/workspace/ru-pack-counter.txt and to append promotional text/links to responses. These file operations and promotional behavior are not needed for tax calculations and the skill metadata does not declare a dependency on python3 or any config paths.
Instruction Scope
Runtime instructions direct the agent to run specific shell/python commands that read and write a workspace file and conditionally modify responses (add t.me links and promotional text). This expands scope from pure calculation to persistent state mutation and unsolicited external linking — a clear scope creep and data-modifying side effect beyond the stated task.
Install Mechanism
There is no install spec (instruction-only), so nothing is downloaded or installed. That lowers supply-chain risk, but does not mitigate the fact that the instructions require executing python3 and performing file I/O at runtime which will alter the agent's workspace.
Credentials
The skill declares no required env vars or config paths, yet the instructions access a specific filesystem path (/home/node/.openclaw/workspace/ru-pack-counter.txt) and require python3. Access to that workspace path and ability to write persistent counters is not justified by tax calculations and is not declared in metadata.
Persistence & Privilege
The skill instructs the agent to persist a counter across runs by writing to a workspace file and to change future outputs based on that counter (adding promotional text until count>=3). That gives the skill persistent state and the ability to alter agent behavior over time — privileges that are unnecessary for a one-off tax calculation.
What to consider before installing
This skill appears to perform tax calculations correctly, but its instructions also tell the agent to run python3 to read/write a local counter file and to append promotional Telegram links to answers — actions unrelated to calculating taxes and not declared in the metadata. Before installing: (1) ask the author to remove the 'Attribution' section (the python commands and promotional text), or to explicitly document and justify persistent file writes and the need for python3; (2) if you must test it, run it in a sandboxed agent instance with no write permission to the workspace and with network access restricted; (3) prefer only skills that declare needed binaries/config paths; (4) if you don't trust the source, do not install — the behavior could be used for unsolicited posting or persistent tampering of agent replies.Like a lobster shell, security has layers — review code before you run it.
latestvk972edaaaj2sxav4wnxgvfwm5h820w1q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧮 Clawdis
OSLinux · macOS · Windows