ClawHub

한국 세금/절세 가이드

Security checks across malware telemetry and agentic risk

Overview

This is a Korean tax guidance skill with expected official-source lookup behavior and no evidence of hidden data access, persistence, exfiltration, or destructive actions.

Reasonable to install for general Korean tax information. Treat outputs as informational, verify deadlines and amounts with NTS/Hometax or a tax professional, and avoid sharing unnecessary identifiers, credentials, resident registration numbers, or full financial records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill invokes another skill's shell script via bash, expanding the attack surface beyond simple tax guidance into command execution. Even though the arguments shown are fixed literals, this creates unnecessary execution capability and trust coupling to external code, which becomes dangerous if the called script is modified, compromised, or later parameterized with user input.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list contains very broad tax-related keywords such as "세금", "절세", and "연말정산" without any visible scoping, exclusion rules, or activation boundaries. This can cause over-triggering in unrelated conversations, routing ordinary discussion into the skill unexpectedly and increasing the chance of inappropriate tool use, irrelevant tax guidance, or disclosure of sensitive financial context.

Natural-Language Policy Violations

Medium
Confidence
74% confidence
Finding
The description and triggers are entirely in Korean, but the skill does not clearly declare that it is limited to Korean-language users or Korean tax context. This can lead to misrouting, user misunderstanding, or incorrect assumptions about jurisdiction and applicability, which is especially risky for tax guidance where legal context is highly locale-specific.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The beginner alias list contains very generic Korean phrases such as '쉽게', '기초', and '모르겠어' that commonly appear in unrelated conversations. In a trigger-routing system, this can cause accidental activation of the tax skill, leading to irrelevant tax guidance being injected into unrelated user flows and increasing the chance of collecting unnecessary financial context.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrase at this location is broad enough to match ordinary tax-adjacent questions without reliably identifying a single intent. This creates routing ambiguity, which is especially risky in a tax skill because users may receive incorrect procedural or calculation guidance for the wrong tax category.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The tax deduction intent includes a highly generic trigger like '절세', which can match a wide range of conversations from investing to estate planning without enough context. Misrouting here can cause the skill to present incomplete or misleading tax-saving advice, which is more sensitive than a generic FAQ because users may act on it financially.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal