Kakutei Shinkoku

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only Japanese tax guidance skill with no executable code or external account access, though users should be cautious with financial details they choose to store.

Use this as general Japanese freelance tax guidance, not as a substitute for a licensed tax professional. Avoid entering My Number, bank details, client identifiers, or unnecessary personal data into the memory template, and verify current tax rules before filing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The example trigger phrase is very broad and resembles a generic help request, which increases the chance the skill is invoked unintentionally in unrelated conversations. In an agent ecosystem, overly generic activation can cause prompt hijacking of normal user intent, unexpected tax guidance in the wrong context, or routing away from more appropriate skills.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The sample trigger phrase is extremely broad and indistinguishable from an ordinary user request, so a generic conversation about tax help could unintentionally activate this skill. In an agent environment with multiple skills, this increases the chance of accidental routing, unexpected instruction capture, and disclosure of user financial context to the wrong skill even though the file does not contain active code or external integrations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal