Tax Package Preparation

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent tax-prep purpose, but it asks users to run an unreviewed local pipeline against sensitive QBO and client tax data without enough credential, storage, or retention guidance.

Install only if you can review the referenced pipeline script in your own workspace, confirm the QBO token is scoped to the right client and preferably read-only, and store or delete generated workbooks and cache files according to your client confidentiality requirements.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill handles highly sensitive financial and potentially tax-related personal data from QBO and client SOP files, writes outputs to local storage, and persists year-over-year snapshots in a cache, but the documentation provides no privacy notice, retention guidance, access-control expectations, or warning about sensitive data exposure. In this context, omission of data-handling safeguards increases the risk of accidental disclosure, over-collection, insecure local storage, and unauthorized access to cached tax data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal