ClawHub
Back to skill

Security audit

Tax Document Deduction Organizer

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only tax document organization skill with clean scans, but its automatic activation rules are broader than ideal for sensitive financial workflows.

Install only if you want a checklist/workflow helper for organizing tax records. Avoid sharing SSNs, account numbers, credentials, or full raw financial records unless necessary, and treat any deduction or estimated-tax output as organization support rather than professional tax advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are overly broad and closely resemble normal user requests, which can cause the skill to activate in situations the user did not explicitly intend. In a tax-related workflow, unintended activation can steer sensitive financial conversations into this skill unexpectedly, increasing the chance of inappropriate guidance, privacy exposure, or bypass of more suitable routing.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad, repetitive, and weakly scoped, which can cause the skill to activate for loosely related requests rather than explicit tax-document organization tasks. In an agent setting, overbroad invocation can lead to unintended handling of sensitive financial content, user confusion, or routing around more appropriate specialized or compliant workflows.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill description is broad enough to match many ordinary finance or business requests, which can cause unintended activation outside the author's narrow intended use. Over-broad routing increases the chance that the skill is invoked in the wrong context, leading to irrelevant guidance, exposure of sensitive financial data to unnecessary processing, or interference with more appropriate higher-priority skills.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The keyword triggers are generic terms like business-and-operations, tax documents, deductions, receipts, and filing checklist, which are common across many unrelated user requests. Generic triggers create unsafe ambiguity in skill selection, making accidental invocation likely and potentially causing the system to steer users into sharing sensitive tax and financial records when a narrower skill or normal assistant behavior would be more appropriate.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description and usage scope are broad enough to overlap with many ordinary business or finance requests, which can cause the agent to invoke this skill when the user did not specifically ask for tax-document organization help. Mis-triggering is dangerous because it can steer conversations into tax-related procedural guidance unnecessarily, increasing the chance of irrelevant advice or mishandling sensitive financial information.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The keyword list contains common phrases like 'business-and-operations' and other broad tax-related terms without guardrails, which raises the likelihood of accidental activation in unrelated contexts. In a skill that may handle sensitive receipts, deductions, and filing materials, overly generic triggers can expose users to inappropriate workflow guidance and unnecessary collection or processing of financial data.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill enables implicit invocation while using a broad, vague activation description tied to general tax-document help. That can cause the agent to invoke this skill in situations the user did not clearly intend, increasing the chance of unnecessary access to sensitive financial and tax information or steering the workflow without explicit consent.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger sentences are written as highly generic natural-language phrases such as 'Help me ...' and 'I need a practical workflow for ...', which can match ordinary user requests far beyond the intended tax-document use case. This can cause unintended skill activation and routing, leading the agent to apply tax-organizing logic in unrelated contexts and creating prompt-selection or behavior-confusion risk.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal