ClawHub

Crypto Tax Calc

Security checks across malware telemetry and agentic risk

Overview

This is a static crypto tax reference skill that prints guidance text, with no evidence of data access or unsafe system behavior.

Install only as a static reference aid. Do not rely on it for filing decisions without checking current official rules for your jurisdiction or consulting a qualified tax professional, especially because crypto tax law changes and the content is mostly US-oriented.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The script presents tax guidance for multiple jurisdictions in one section without first asking the user which country’s rules apply or clearly warning that tax treatment varies materially by locale and taxpayer facts. In a tax-reference skill, this can mislead users into applying the wrong jurisdiction’s rules, causing incorrect reporting, missed obligations, or improper tax positions.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
This section states IRS forms, filing obligations, and reporting rules as default guidance without locale opt-in, which can incorrectly frame US-specific compliance steps as universally applicable. Users outside the US may follow irrelevant or wrong filing instructions, while US users may over-rely on simplified statements that omit important eligibility and documentation nuances.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The FAQ answers tax questions using IRS and Form 1040 assumptions as the default, without confirming that the user is a US taxpayer. Because the skill is broadly described as a cryptocurrency tax reference, users may reasonably assume the answers are generally applicable, increasing the risk of incorrect compliance decisions across jurisdictions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal