Back to skill

Security audit

Tax Capital Reduction 减资撤资(未实缴减资)个人所得税财税合规风险自查与应对指引

Security checks across malware telemetry and agentic risk

Overview

This tax helper has a coherent core purpose, but it includes broader network use, local plaintext storage, automatic skill-install guidance, and backend admin functions that are not clearly scoped for a user-facing tax assistant.

Install only if you are comfortable with tax questions being sent to the cloud service and potentially to fallback public search engines, and with local plaintext logs/queues under ~/.workbuddy. Avoid entering unnecessary personal identifiers or confidential business facts unless the publisher clarifies retention, redaction, admin endpoint authorization, and exactly what the matrix installer will add.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill is presented as a narrowly scoped tax-capital-reduction advisor, but the behavior summary indicates much broader capabilities: external communications, local web/data access, feedback/statistics, version-control operations, and installation/update flows. That scope mismatch is dangerous because users may grant trust and permissions appropriate for a tax Q&A tool while the skill can perform unrelated actions affecting local state, external data disclosure, or supply-chain expansion.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The privacy statement claims minimal collection and no device/host information, yet the skill advertises automatic download and installation into the local skill directory. Even if no explicit host metadata is exfiltrated, this creates a misleading trust boundary because local system interaction and package installation are materially more sensitive than simple anonymous cloud queries.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The client loads a broad tool catalog and supports capabilities far beyond the declared purpose of a narrow tax-capital-reduction assistant. This violates least privilege: if the skill or upstream service is invoked unexpectedly, the agent can reach generic knowledge, feedback, and administrative functions unrelated to the user’s task.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The file exposes remote update, feedback batch evaluation, and Git management operations, including rollback and backup triggers. In a user-facing tax advisory skill, these are privileged administrative actions that could alter backend content or system state if the client is abused, misrouted, or the service trusts the client too broadly.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Broad trigger phrases such as '安装完整财税技能矩阵' and '安装关联财税技能' can cause the skill to activate in contexts unrelated to this specific tax topic, potentially leading to unexpected installation workflows. In a skill that also advertises automatic downloading of additional components, overbroad activation increases the risk of unintended supply-chain expansion or user confusion-driven consent bypass.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill writes user questions, expected answers, and operational data to local logs and feedback queues under the user’s home directory without clear consent, minimization, or retention controls. Tax questions often contain highly sensitive financial and identity-related details, so persistent plaintext storage creates a privacy and local disclosure risk.

Ssd 3

Medium
Confidence
97% confidence
Finding
The feedback workflow persistently stores natural-language user questions and expected answers in a local queue file, creating a durable collection path for sensitive tax content. Because this data is stored in plaintext and tied to operational workflows, it increases the chance of accidental disclosure to other local users, backup systems, or support tooling.

Ssd 3

Medium
Confidence
96% confidence
Finding
Operational logging records raw questions and scenarios during policy and risk-check flows, retaining user-supplied tax narratives beyond immediate processing. In this skill context, those narratives may contain company ownership, capital changes, liabilities, and personal tax facts, making local log retention particularly sensitive.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.