Back to skill

Security audit

Tax Crossborder Trade 跨境电商与贸易财税合规风险自查与应对指引

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a tax-advice assistant, but it also advertises automatic installation of other skills and exposes under-disclosed backend/admin and data-retention behavior that users should review first.

Install only if you are comfortable with a cloud-backed tax assistant that stores local credentials/logs and may transmit your tax questions to remote services. Avoid entering raw personal identifiers, bank details, full tax numbers, or confidential transaction data, and review any prompt to install related skills before approving it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill presents itself as a narrowly scoped cross-border tax assistant, but the described behavior expands into generic tax workflows, remote registration, local storage of identifiers or API keys, feedback submission, update operations, and Git-style repository management. That mismatch is dangerous because users may grant trust and permissions based on the stated tax-advice purpose while the skill performs broader system- and network-affecting actions outside that expectation.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The privacy statement says the skill only uses a random anonymous identifier and does not collect device or personal data, yet the declared filesystem and network permissions enable access to local files and external transmission. Even if no abuse is proven from the markdown alone, this is a meaningful trust and transparency failure that can mislead users into sharing sensitive tax and identity information under false assumptions about collection and transmission limits.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The skill is presented as a narrowly scoped cross-border tax assistant, but this client exposes unrelated high-privilege operations including repository and feedback-management endpoints. Scope expansion matters because users and hosts may grant trust based on the declared purpose, while the code can invoke capabilities beyond that purpose, increasing the chance of misuse or unauthorized changes to backend-managed assets.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Repository control functions such as init, backup, diff, log, and rollback are unrelated to end-user tax advice and expose administrative actions through the skill interface. If reachable by an agent or user operating under the assumption of a tax-only assistant, these functions could alter or reveal backend repository state, creating integrity and operational risk.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The client silently performs remote registration and acquires persistent API credentials, which exceeds the narrow expectations of a tax-advisory helper and creates an undisclosed trust relationship with an external service. This is dangerous because it expands data flows and credential lifecycle management without clear user awareness or explicit authorization.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The skill encourages broad, unconstrained invocation through normal conversation without clearly limiting what actions may occur as a result. In a skill that also advertises installation, remote lookup, and automatic domain recognition, vague activation language increases the chance of unexpected execution paths or privileged operations being triggered from casual user input.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The 'automatic business-domain recognition' feature is described ambiguously, making it unclear when the skill will switch modes, recommend other skills, or trigger downstream actions. In context, this is more dangerous because the skill also advertises one-click installation of related skills, so ambiguous recognition can become a gateway to unanticipated system modification or broader data exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The markdown explicitly states that saying certain phrases will cause the system to automatically download and install other skills into the user's skill directory, with no prominent warning about system modification, code provenance, or supply-chain risk. This is a real security concern because it normalizes remote code acquisition and local persistence from conversational input, potentially expanding privileges and attack surface well beyond the original skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The registration flow transmits user/device identifiers to a remote service and persists the returned API key locally without any visible notice or consent mechanism in this file. Even if the identifiers are limited, silent collection and credential storage create privacy and security exposure, especially on shared systems or managed enterprise hosts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
MCP calls automatically inject API keys into request parameters and transmit user questions or scenarios to a remote service without clear in-band disclosure. Sending credentials in the body increases exposure through logs and intermediaries, while forwarding potentially sensitive tax scenarios off-host can leak confidential business information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
When remote service calls fail, the client sends user queries to third-party search engines without explicit warning at the point of use. Tax questions may contain sensitive facts about corporate structure, income, transactions, or investigations, so silent fallback materially increases confidentiality risk.

Missing User Warnings

Low
Confidence
82% confidence
Finding
Feedback queuing writes user question and expected answer content to a local JSONL file without clear disclosure or protection. Although local-only, this can expose sensitive tax details to other local users, backups, or endpoint monitoring if stored in plaintext.

Missing User Warnings

Low
Confidence
86% confidence
Finding
Operational logs persist user questions and scenarios to local log files without explicit disclosure. Because tax queries often contain confidential business and personal details, plaintext logging can create unnecessary data retention and confidentiality exposure on the endpoint.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.