IR35 Status Assessment

Security checks across malware telemetry and agentic risk

Overview

This appears to be a purpose-aligned IR35 assessment skill, but users should avoid pasting unredacted contracts or personal details.

Use this for IR35 assessments only after redacting names, addresses, signatures, rates, account details, and confidential client terms unless they are essential. Treat the output as guidance, not legal or tax advice, and have a qualified professional review real determinations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The invocation metadata is broad enough to trigger on general IR35 questions, exploratory tax queries, or educational requests, causing the skill to activate outside its narrow intended use. Over-broad routing can misapply a specialised legal-tax assessment workflow, leading to unnecessary data collection, overly deterministic advice formatting, or user confusion in contexts where a lighter or different response would be safer.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The listing explicitly encourages users to paste contracts and engagement details, which commonly contain personal data, commercially sensitive terms, and tax information, but provides no warning or minimization guidance. In a tax/employment-status assessment context, users are especially likely to submit full unredacted documents, increasing the risk of unnecessary exposure of confidential information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal