ClawHub

India Tax Helper

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed India tax-help skill with local calculators, but users should verify results because some tax calculations are simplified or incomplete.

Install only if you will treat the outputs as educational estimates, not professional tax advice. Verify current FY rules, capital-gains treatment, surcharge, rebate, and filing deadlines against official Income Tax Department sources or a qualified tax professional before acting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The docstring markets this as an end-to-end tax estimator, but the code explicitly applies simplified logic such as computing rebate 87A only on salary tax, approximating surcharge, and potentially omitting capital-gains tax when verified rules are missing. In a tax-helper skill, this mismatch can mislead users or downstream agents into treating approximate results as authoritative, causing incorrect tax filing decisions, underpayment, or overpayment.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code hardcodes FY-2026-27 inside compute_regime_tax and ignores the caller-provided financial year, so users can receive tax calculations based on the wrong year’s slabs, rebate, and surcharge rules. In a tax-helper skill, this is security-relevant because it can systematically produce incorrect financial guidance while appearing authoritative, especially around year-specific compliance decisions and filing choices.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The test explicitly documents that the capital gains script does not apply an important LTCG exemption, yet still treats the behavior as a passing test. In a tax-helper skill, this can normalize known-wrong tax computation logic and allow inaccurate tax outputs to survive validation, which may mislead users into underpaying or overpaying taxes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal