Back to skill

Security audit

Tax Construction 建筑施工行业财税合规风险自查与应对指引

Security checks across malware telemetry and agentic risk

Overview

This tax assistant is mostly coherent, but it includes under-disclosed external data flows, persistent registration credentials, skill-install guidance, and backend maintenance controls that warrant manual review.

Install only if you are comfortable with tax questions being sent to the remote tax service, possible fallback searches going to public search engines, and local storage of an API key, device identifier, logs, and feedback queues under ~/.workbuddy. Treat the automatic related-skill installation and backend maintenance functions as review items that should be restricted or confirmed before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a narrow construction-tax compliance assistant, but the documented and detected behavior includes broad networked search, remote MCP communication, API-key registration, feedback telemetry, knowledge-base updates, version-control operations, and wider tax tooling. This description-behavior mismatch is dangerous because users may disclose sensitive financial or tax data under a limited-trust assumption, while the skill may transmit data externally or perform side effects beyond the advertised scope.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation says the skill can automatically download and install other skills, which expands its authority from answering tax questions to modifying the local skill environment. That is risky because a user invoking an informational assistant may unknowingly trigger network fetches and local installation of additional packages, increasing supply-chain and persistence risks.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Automatic installation of unrelated or loosely related skills is not necessary for a construction tax advisory function and violates the principle of least privilege. This creates unnecessary attack surface by allowing a domain-specific assistant to act as a package bootstrapper, potentially exposing the user to malicious or compromised downstream skills.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The client exposes remote Git/version-control operations such as init, backup, diff, log, and rollback that are materially outside the advertised scope of a construction tax-compliance assistant. If these functions are reachable by the agent or user, they could modify or revert the remote knowledge base state, creating an unnecessary administrative attack surface and enabling integrity-impacting actions beyond advisory use.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill includes update-management and feedback-evaluation endpoints that go beyond the stated advisory purpose, expanding the capability surface from read-oriented tax assistance to backend maintenance workflows. This broadening increases the chance of unauthorized triggering of updates, access to internal operational data, or misuse of moderation/evaluation functions if the surrounding platform permissions are weak.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The code performs undeclared direct web-scraping fallback against public search engines, which sends user queries to third parties outside the primary MCP service path. This creates data-sharing and behavior-surprise risk, especially because user tax questions may contain sensitive business or personal information and the fallback is automatic.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The client automatically registers with a remote service and persistently stores credential and device identifier data, which is unrelated to the narrow user-visible tax-advice function and expands the trust boundary. Automatic enrollment plus durable identifiers can enable silent account creation, tracking, and backend coupling without meaningful user awareness.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Ambiguous 'automatic business-domain recognition' is risky in this context because it is tied to subsequent recommendations and installation flows. When activation boundaries are unclear, users may unintentionally trigger network lookups, skill discovery, or environment changes without realizing that a simple tax question can escalate into broader automated actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill advertises automatic downloading and installation of additional skills without a prominent warning about filesystem modification and network access. In a tax/compliance context, users may provide sensitive corporate or personal data; combining hidden side effects with installation behavior substantially raises the risk of supply-chain compromise, unauthorized local changes, and unexpected data transmission.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Automatic registration transmits a generated device identifier and user identifier to a remote endpoint without any visible notice or consent flow in the client. Even though the code avoids richer fingerprinting, this still creates a privacy and transparency problem because identifiers are persisted and sent automatically.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Remote MCP and REST calls send user questions, risk scenarios, feedback content, and API credentials to external services without any user-facing disclosure in this code path. For a tax-compliance assistant, those payloads can contain commercially sensitive or personal tax information, so silent transmission increases confidentiality and privacy risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.