ClawHub

TaxClaw

Security checks across malware telemetry and agentic risk

Overview

TaxClaw is mostly a coherent local tax-document tool, but it deserves Review because sensitive tax data is handled in a localhost app that still has under-disclosed third-party data/script paths.

Review before installing if you plan to handle real SSNs, EINs, income records, or account data. Use Local mode only, avoid Cloud mode unless you accept sending document images/content to Anthropic, do not put sensitive tax details in the contact form, and be aware the web UI loads a third-party script from unpkg.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill markets itself as 'local-first' and says documents never leave the machine, but the documented/observed behavior includes optional cloud AI processing and external Formspree submissions. For a tax-document skill handling SSNs, EINs, addresses, and financial records, any unclear or incomplete disclosure about outbound transmission materially increases privacy and data-exposure risk.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill metadata promises a local-first design where documents never leave the machine, but this code conditionally sends document images and prompts to Anthropic when `cfg.model_backend == "cloud"`. Because the inputs are tax forms containing highly sensitive personal and financial data, this creates a serious privacy and trust violation and may expose users to regulatory, compliance, and data handling risks.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code falls back to `chat_json_from_image(cfg=cfg, prompt=CLASSIFY_PROMPT, image_bytes=img)`, which transmits rendered page content to an AI component despite the skill metadata claiming documents never leave the machine. For tax forms, page images can contain SSNs, addresses, income, and account data, so this creates a material confidentiality and trust violation if the AI backend is remote or configurable to be remote.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file explicitly supports a cloud-hosted AI mode and includes a warning that tax documents will be transmitted to a third-party provider, which directly conflicts with the product description claim that documents 'never leave your machine.' In a tax-document processing skill, this is especially sensitive because uploaded content may include SSNs, income, and other highly regulated personal financial data, so misleading privacy claims materially increase user risk.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata promises 'Local-first — your documents never leave your machine,' but this file explicitly supports a cloud backend and also sends contact submissions to Formspree. In a tax-document application handling highly sensitive financial data, this mismatch is security-relevant because users may make trust decisions based on the stronger privacy claim and unknowingly enable remote transmission.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The contact form transmits user-entered data, including name, email, subject, and freeform message, to Formspree over the network. In the context of a tax application, users may disclose sensitive tax or identity information in support messages, so sending that content to a third party expands data exposure beyond the local-first trust boundary.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The template injects affiliate-driven outbound links to a third-party tax platform, which is inconsistent with the skill's stated local-first document extraction purpose. This can mislead users into sending sensitive wallet, exchange, and tax information to an external service, creating a trust-boundary violation and undisclosed product steering risk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This section actively steers users toward connecting wallets and exchanges to Koinly, expanding the skill's effective behavior beyond extraction/export of local tax documents. In the context of a privacy-sensitive tax tool marketed as local-first, this can cause users to disclose additional financial data to a third party under the implied trust of the original application.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The template loads JavaScript from a third-party CDN (unpkg.com), which breaks the stated local-first trust boundary and creates a supply-chain dependency at page load. If the CDN, package, network path, or script version is compromised, arbitrary code could run in the browser and access highly sensitive tax data displayed in the UI.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The FAQ explicitly states that in Cloud mode tax documents are sent to Claude, which conflicts with the skill metadata claim that documents never leave the user's machine. For a tax-document skill, this mismatch is security-relevant because users may rely on the local-only claim when deciding whether to upload highly sensitive records containing SSNs, EINs, income data, and account details.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The FAQ advertises a Cloud mode requiring an API key, indicating functionality beyond the manifest's stated local-first/privacy-preserving behavior. This creates a deceptive trust boundary: users may install the skill expecting local-only handling but later be exposed to remote processing of sensitive tax data.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad enough to match common requests about tax help or document handling, which can cause the skill to activate in contexts where the user did not clearly intend to open this specific local document-processing tool. Because the skill reads and stores sensitive tax documents, accidental invocation can lead to unnecessary access, ingestion, or exposure of highly sensitive personal financial data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This file sends a PNG rendering of page 1 to an AI service without any user-facing notice, consent check, or documented safeguard in the code path shown. In the context of tax-document handling, silent transmission of document images is risky because users reasonably expect especially strong privacy protections, and the skill description reinforces that expectation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code renders pages from highly sensitive tax documents and passes the resulting page images to `chat_json_from_image`, which is an external AI extraction boundary from the perspective of this file. Although the prompt warns the model not to follow document instructions, it does not address privacy or data handling, and there is no enforcement here that the model is strictly local despite the skill claiming documents never leave the machine. In a tax-document context, this can expose SSNs, EINs, names, and financial data to remote services if configuration is changed or misconfigured.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
At the transmission point, the code posts personally identifying and freeform user content to an external Formspree endpoint without any in-code evidence of an explicit warning or just-in-time consent. Because this app handles tax records, users are especially likely to include sensitive details in messages, making undisclosed third-party submission materially riskier.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The FAQ mentions cloud extraction but does not prominently warn that uploading tax forms shares extremely sensitive personal and financial information with a third party. In the context of tax processing, the omission is more dangerous because users may not appreciate that full source documents—not just extracted fields—could leave their device and become subject to provider retention, logging, or policy controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal