ClawHub

China Tax Calculator

Security checks across malware telemetry and agentic risk

Overview

This skill is a local China tax calculator; it handles sensitive salary data by design but does not show evidence of hidden sharing, file writing, credential access, or unsafe automation.

Reasonable to install from a security perspective. Treat salary, family deduction, and employee payroll details as confidential: only process data you are authorized to use, minimize names or identifiers in batch mode, and store or share generated CSV/Markdown reports only in approved locations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly supports batch employee tax calculation, which implies handling multiple individuals' salary, bonus, and deduction data at once. Without any privacy notice, minimization guidance, or access-control warning, users may input or process sensitive payroll data in ways that expose confidential personal and HR information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Generating Feishu reports can transmit salary, tax, and deduction details to an external platform, increasing exposure beyond the immediate chat context. Without a warning about third-party sharing, users may unknowingly export highly sensitive financial data into external systems with their own storage, access, and compliance implications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Exporting tax data to Excel/CSV creates persistent files that may contain salary, bonus, deduction, and tax identifiers outside the chat environment. If users are not warned, these files can be stored insecurely, shared broadly, or retained longer than intended, creating avoidable confidentiality risks.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal