ClawHub

French Tax

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it stores a third-party API key and routes tax queries through an external service despite several copy-paste mismatches in its configuration and docs.

Review this carefully before installing. Only use it if you trust xiaobenyang.com with the API key and with the tax-related data you enter, and be aware that the key is saved locally in a .env file. The publisher should remove the gaokao leftovers, clarify the exact backend/data flow, and add explicit consent and deletion guidance for stored credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no permissions while its documented behavior clearly includes environment access, file read/write, and network use. This undermines informed consent and prevents reviewers or users from understanding that the skill can persist secrets locally and reach external services, increasing the chance of unintended data exposure or misuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as a French personal income tax calculator, but the documented capabilities are much broader: web retrieval, cached info access, legal article search, procedure lookups, report generation, health checks, and API key persistence. This mismatch is dangerous because users may authorize a narrow-purpose tax calculator while actually granting a general remote information-retrieval and reporting agent broader operational reach.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The project structure and invocation example reference unrelated gaokao/school-search functionality, which indicates copy-paste contamination or misbound tooling. In a security context, this raises the risk that the skill may call unintended tools or connect to an unexpected backend, causing data leakage, incorrect execution paths, or hidden capabilities beyond the advertised tax use case.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The file says the code only calls APIs, yet elsewhere it describes scraping official sites and generating output files. These contradictions reduce trustworthiness and make it hard to assess what data flows and side effects really occur, which is risky when network access and file writes are involved.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill claims to be a personal income tax calculation service, but the tool list includes broad tax information retrieval, legal search, procedural guidance, and report generation. This scope expansion matters because users may disclose sensitive financial or credential data under the assumption of a simple calculator, while the skill operates as a more general tax-research agent with wider data handling surfaces.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill requires collecting a third-party API key from the user and persisting it locally, even though its stated purpose is tax calculation. This is dangerous because credential solicitation and storage introduce a secret-handling attack surface unrelated to a basic calculator, and the document provides no justification, isolation, or safety controls for how that key is stored and used.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This skill is presented as a French personal income tax calculator, but the configuration code manages and persists an unrelated 'XBY_APIKEY' credential tied to a different service namespace ('XBY_GAOKAO'). That scope mismatch is a strong indicator of copied or repurposed code and creates unnecessary secret-handling behavior that can expose or misuse credentials unrelated to the declared functionality.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The class docstring identifies the component as '小笨羊高考Skill配置', which conflicts with the declared French tax service purpose. This inconsistency suggests code reuse from an unrelated project, increasing the likelihood of hidden functionality, incorrect configuration, or accidental credential crossover.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to ask for an API key and save it, but does not warn the user that the credential will be persisted locally or explain retention, storage format, or access controls. This creates a meaningful secret-handling risk because users may disclose reusable credentials without understanding they are being stored for future use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function writes an API key directly into a local .env file without any confirmation, warning, or discussion of storage implications. Silent persistence of secrets increases the risk of accidental disclosure through local file access, backups, version control mistakes, or shared runtime environments.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal