Back to skill

Security audit

Global Tax Guide

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only ecommerce tax guidance skill with no executable behavior, though users should verify tax details and note unrelated capability tags.

Use this as an educational checklist, not tax or legal advice. Verify thresholds, scheme names, and filing obligations with current official sources or a qualified tax professional before acting. Do not provide tax portal logins, bank details, API keys, or account access; this skill does not need them. The listed crypto and purchase capability tags appear unrelated to the artifact’s purpose and should be treated as unnecessary metadata rather than a needed permission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
Line L139 states that the UK has 'a separate equivalent called the OSS for UK imports,' which contradicts the surrounding documentation's tax-guidance purpose because OSS is an EU scheme, not a UK import scheme. This is not merely incomplete guidance; it actively misstates the scheme name and could mislead users about what compliance mechanism actually exists.

Vague Triggers

Low
Confidence
84% confidence
Finding
This markdown file describes the skill's purpose broadly as helping users navigate multi-country ecommerce tax obligations, but it does not specify concrete trigger phrases, usage constraints, or when the skill should not activate. Without explicit scope boundaries or exclusions, a router could over-invoke it for general tax or ecommerce questions beyond the intended compliance-mapping use case.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
|---|---|---|---|
| Jurisdiction to assess first | Highest revenue market above threshold | Market approaching threshold | Market with negligible volume |
| Threshold status signal | Revenue + transaction count both clear | Revenue clear, count borderline | Only one metric tracked |
| Marketplace facilitator reliance | Platform confirmed MF in writing | Platform docs say MF applies | Assumed MF without confirmation |
| Filing scheme choice | OSS/IOSS for EU multi-country | Individual country VAT registrations | No scheme, selling anyway |
| Product classification approach | Category confirmed with local customs code | Same category used across all regions | Default to standard rate everywhere |
| Professional support trigger | Revenue exceeds $50k in new market | Launching into regulated product category | Any cross-border expansion |
Confidence
75% confidence
Finding
without confirmation

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.