v1.1.2

Kazakhstan tax assistant

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:28 AM.

Analysis

This is a coherent Kazakhstan tax-code lookup skill, with some disclosed local-script and insecure-download behaviors users should understand before relying on it.

GuidanceBefore installing, be aware that the skill relies on local Node.js scripts and bundled legal text. Keep custom file searches limited to intended law documents, and avoid the --insecure download mode unless you trust the network or can verify the downloaded source.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

scripts/_shared.mjs

console.warn("⚠️  --insecure: проверка TLS отключена. Используйте только в доверенной сети.");
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

The fetch/update path can intentionally disable TLS certificate verification. This is disclosed and gated by --insecure, but it can reduce confidence that downloaded legal text came unmodified from the intended source.

User impactIf used on an untrusted network, a tampered download could lead the assistant to give wrong tax-law information.

RecommendationPrefer the documented manual HTML download path or verify downloaded documents before relying on them; use --insecure only on a trusted network.

Tool Misuse and Exploitation

SeverityLowConfidenceMediumStatusNote

scripts/search.js

const resolved = filePath.startsWith("/") || filePath.match(/^[A-Za-z]:/) ? filePath : join(process.cwd(), filePath);
return readFileSync(resolved, "utf-8");

The custom --file search mode can read a user-specified local path. The documented purpose is searching downloaded law files, but the code itself does not restrict paths to the skill's data directory.

User impactIf pointed at the wrong file, the assistant could include snippets from unrelated local files in its answer.

RecommendationUse --file only with intended legal-document files, preferably under the skill's data directory, and avoid pointing it at private or credential-containing files.