ClawHub

XPR Crypto Tax

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate XPR crypto tax reporter, but it directs agents to upload sensitive tax reports and CSVs to external deliverable URLs without clear privacy controls.

Review before installing if you would not want wallet-linked tax reports, income events, disposals, or balances uploaded to external deliverable storage such as IPFS-style URLs. Use a dedicated CoinGecko key if needed, verify the selected jurisdiction and tax-year boundaries, and do not rely on the report as tax advice without professional review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation indicates use of environment variables and networked APIs, but the skill metadata declares no corresponding permissions. This creates a transparency and governance gap: operators may enable the skill without understanding that it can access secrets and send data externally. In a tax-reporting context, that is especially sensitive because wallet history and generated reports may contain financial and personal data.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill claims that "all tools are read-only," but later instructs the agent to upload generated files and invoke a delivery action. This is a dangerous mismatch because users and reviewers may trust the skill as non-mutating while it actually performs outbound write operations and external delivery of sensitive tax artifacts. That discrepancy can lead to unauthorized disclosure of financial records.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The inline documentation presents the skill as read-only, but subsequent instructions require storing deliverables and calling a job-delivery action. This inconsistency increases the risk of deceptive or misunderstood behavior, especially in an agent setting where downstream systems may rely on documentation to determine safety. Because the content involves tax reports and transaction histories, the write operations expose highly sensitive financial data.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The module-level documentation explicitly claims all tools are read-only, but the implementation imports fs/path and persists a rate cache to disk. This creates a capability mismatch that can mislead operators, reviewers, and sandbox policy engines into granting broader trust than the code deserves, even though the write target is only a local cache file.

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
The skill is presented as a tax-reporting utility, but it also performs undeclared local filesystem persistence for historical rate caching. Undisclosed side effects weaken trust boundaries and can violate least-privilege assumptions in environments that expect analytical or read-only skills to avoid host writes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to upload tax reports and CSV exports to externally accessible URLs/IPFS and deliver them, but it does not prominently warn about the privacy implications. Tax reports, balances, disposals, income events, and wallet-linked activity are highly sensitive, and publishing them to persistent or broadly retrievable locations can cause serious confidentiality loss. In this context, omission of a privacy warning materially increases user risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The report-generation path sends the user-supplied account identifier to third-party services (Saltant and MetalX) to retrieve balances, transfers, and trades, but the code contains no consent gate, disclosure mechanism, or privacy notice before doing so. Even if the account name is public on-chain, correlating it with tax-report generation and specific time ranges can expose sensitive financial profiling to external providers.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The skill defaults to New Zealand tax settings when no region is provided, which can silently produce materially incorrect tax calculations for users in other jurisdictions. In a tax-reporting context, an implicit locale default is risky because users may trust the output and make compliance decisions based on the wrong rules, brackets, and tax-year boundaries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal