Back to skill

Security audit

Salary Tax Calculator

Security checks across malware telemetry and agentic risk

Overview

This tax calculator does not appear malicious, but it overstates supported tax features and can silently omit user-provided income from calculations.

Install only if you treat it as a basic salary-and-bonus estimate tool. Do not rely on it for labor-remuneration income, annual tax settlement, reverse salary calculations, or any filing decision without independently verifying the result in the official tax app or with a qualified tax professional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill metadata and file header claim support for 劳务报酬个税 and 年度汇算清缴预估, but the implementation only calculates salary withholding and bonus comparison. In a tax-calculation skill, capability overstatement is security-relevant because users may rely on incomplete or incorrect outputs for financial decisions, creating integrity risk rather than code-execution risk.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code accepts and displays `other_income`/related claims but never incorporates that value into tax calculations, while documentation says labor remuneration withholding is supported. In this context, silently ignoring income can materially understate tax liability and mislead users into making inaccurate filings or planning decisions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.