Back to skill

Security audit

Tax Compliance Dispute 合规争议财税专题

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real tax-compliance assistant, but it includes under-scoped installation, logging, and backend administration capabilities that users should review before installing.

Review this skill before installing in an environment with confidential tax, audit, business, or legal materials. Confirm you are comfortable with cloud service calls, local logging under ~/.workbuddy, persistent API credentials/device identifiers, automatic related-skill installation claims, and backend Git/admin functions being present in the shipped client.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill is presented as a tax-compliance advisory assistant, but the documented/observed behavior includes remote updates, feedback submission, API-key registration and persistence, web-search fallback, and even Git repository operations. That mismatch is dangerous because users may disclose sensitive tax, audit, or dispute data to a tool whose real capabilities extend well beyond advisory use, increasing the risk of hidden exfiltration, unauthorized state changes, and supply-chain expansion.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The documentation promises automatic download and installation of additional skills, which is a supply-chain and local-environment modification risk. Even if permissions technically allow network and filesystem access, advertising silent or one-shot installation without clear trust boundaries, verification details, or consent creates a real risk of introducing unreviewed code into the user's environment.

Intent-Code Divergence

Low
Confidence
72% confidence
Finding
The privacy statement says no device, hostname, or personal information is collected, while also stating that cloud-backed service calls use a locally generated identifier. That inconsistency can mislead users about what metadata is transmitted and retained, which is especially sensitive in a tax/legal context where even pseudonymous identifiers can support tracking across sessions.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The client exposes broad administrative endpoints such as update-log, update-stats, feedback batch evaluation, and especially Git management/rollback functions that are outside the stated purpose of a tax compliance assistant. Expanding a user-facing skill into remote maintenance and repository-control operations increases attack surface and can enable unauthorized state changes, rollback of knowledge content, or abuse of privileged backend capabilities if the skill is invoked by untrusted prompts or users.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Git initialization, backup, log, diff, and rollback are powerful repository-management capabilities with no clear justification for an end-user tax-dispute assistant. If reachable through the skill, they could be abused to alter, revert, inspect, or operationally interfere with the backend knowledge base, turning a content assistant into a control plane for sensitive infrastructure.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill prominently advertises automatic download and installation of other skills but does not provide an equally prominent warning that this changes the local system and expands the trust boundary. In practice, this can lead users to authorize code acquisition and local modification without understanding the security implications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill sends user tax questions and dispute scenarios to remote services and can also fall back to external web search, but it does not present a clear user-facing disclosure or consent step before transmitting potentially sensitive financial, tax, or legal information off-device. In this skill context, prompts may contain confidential business facts, invoices, audit details, or dispute materials, making silent transmission materially risky.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The client automatically logs questions, scenarios, registration events, and feedback to local files under the user's home directory without clear notice, retention limits, or sensitivity controls. Because this assistant handles tax compliance and dispute content, local logs may accumulate sensitive corporate or personal data that could later be exposed to other local users, backup systems, or malware.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.