ClawHub

tax_counting_LYJ

Security checks across malware telemetry and agentic risk

Overview

This appears to be a Shenzhen property transfer tax guidance skill with no evidence of hidden code execution, persistence, credential use, or data exfiltration.

Before installing, treat the skill as localized tax guidance rather than authoritative legal or financial advice. Confirm it is being used for Shenzhen property transfer scenarios, and verify any calculated taxes against current local rules or a qualified professional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill is configured to trigger on very broad phrases such as '帮我算一下过户要交多少税' and generally on mentions of Shenzhen property tax topics, which increases the chance of unintended invocation in ordinary conversation. This can cause the agent to enter a specialized workflow without clear user intent, leading to confusing responses, unnecessary data collection, or incorrect tax guidance being surfaced in contexts where the user did not explicitly request this skill.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill description strongly implies Chinese-only, Shenzhen-specific output formatting without offering a language choice or documenting that the locale constraint is mandatory. While not a code-execution risk, this can mis-handle user requests in other languages or produce unusable output, increasing the chance of misunderstanding in a domain where financial accuracy matters.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal