Tp4
High
- Category
- MCP Tool Poisoning
- Confidence
- 96% confidence
- Finding
- 描述声称覆盖违法辞退应对的完整流程和多项法律实务功能,但代码只实现了N、N+1、2N赔偿计算、社平工资封顶处理、工作年限计算,以及输出赔偿金计算表。代码没有实现解除合法性分析、劳动者被迫解除的操作步骤、仲裁请求设计或证据清单等核心功能。因此,代码的实际能力明显窄于声明的用途,构成描述与行为不匹配。未发现与声明无关的隐藏资源访问或额外敏感行为。
Security audit
Illegal Dismissal Guide
Security checks across malware telemetry and agentic risk
Overview
This skill is a disclosed labor-rights guidance and compensation calculator with no hidden data access, credentials use, network behavior, or persistence beyond writing a user-requested report.
Before relying on this skill, verify current local labor-law rules and the latest official local average-wage cap, and review generated claim amounts with a lawyer or 12348 because the skill includes older reference wage data and one confusing worked-example typo.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)
Description-Behavior Mismatch
Medium
- Confidence
- 97% confidence
- Finding
- The compensation example appears to miscalculate tenure by treating 3 years and 8 months as '4个月' in the narrative while still computing N as 20,000 × 4, which can confuse users about how severance is derived. In a labor-rights guidance skill, incorrect compensation calculations can directly mislead users about claim amounts, negotiation posture, and arbitration requests, causing financial harm or weakened legal positions.
VirusTotal
64/64 vendors flagged this skill as clean.