Back to skill

Security audit

Tax Ecommerce 国内电商与直播财税合规风险自查与应对指引

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a tax-compliance assistant, but it also includes under-scoped network, installation, local persistence, and remote administration behaviors that users should review before installing.

Install only if you are comfortable with a cloud-backed tax assistant that writes under ~/.workbuddy, stores an API key/device identifier, may send tax questions to remote services and public search engines during fallback, and can guide installation of additional related skills. Avoid entering raw personal identifiers, bank details, full tax numbers, or confidential account data unless the publisher provides stronger privacy and permission documentation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is ներկայացված as a narrowly scoped tax-compliance assistant, but the documented behavior and static analysis indicate materially broader capabilities: remote communications, knowledgebase updates, feedback telemetry, version-control actions, offline CLI workflows, and cross-domain tax logic. That mismatch is dangerous because users may grant trust and local access based on a benign advisory description while the skill can perform additional actions that affect local state, exfiltrate data, or expand its operational scope.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
A tax/compliance Q&A skill should not silently or automatically act as a package manager for other skills. Automatic download/install into the user's skill directory creates a supply-chain and local-persistence risk, especially because installation changes the trusted execution surface beyond what the user originally requested.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Automatic installation of additional skills is an unjustified capability for an advisory assistant and materially increases attack surface. If an external endpoint or dependency is compromised, this mechanism could be abused to place malicious content into the user's local skill environment under the guise of a benign tax tool.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The privacy statement minimizes data collection and local impact, but elsewhere the documentation describes downloading and installing skills into the local directory. This inconsistency is dangerous because it can mislead users about the degree of local access and behavioral footprint, undermining informed consent and masking the real security implications of the skill.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This client exposes broad administrative endpoints such as update-log/statistics, feedback batch evaluation, Git init/backup/log/diff/rollback, and knowledge-base update triggers that go well beyond a normal end-user tax assistant. If these functions are reachable by the agent runtime or indirectly invokable by user prompts, they can be abused to alter, inspect, or roll back server-side knowledge assets and operational state, expanding the attack surface substantially.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The code performs direct fallback scraping of Bing and Baidu using arbitrary user queries, which sends user-provided tax questions to third-party public search engines outside the primary MCP service path. In a tax/compliance context, queries may contain sensitive financial, business, or personally identifying information, creating unannounced data disclosure and integrity risks because results are untrusted and parser-based scraping is brittle.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The client auto-registers with a remote service and persistently stores API keys and device identifiers under the user's home directory without any visible consent or storage protection in this file. This increases privacy and credential-handling risk: local compromise or overly permissive file access could expose long-lived credentials, and silent registration broadens outbound data sharing beyond the manifest's described assistant behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation advertises automatic installation into the user's local skill directory without a prominent warning that local files will be modified. That is dangerous because users may trigger a phrase expecting informational help, not realizing it can change their local environment and persist new capabilities.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
User questions and risk scenarios are transmitted to remote services for tax_policy_ask and risk_check with no user-facing notice, consent gate, or redaction step in a domain that often includes sensitive tax, income, invoice, and compliance facts. This creates a confidentiality risk because users may unknowingly send regulated or highly sensitive business information to a third-party backend.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Feedback entries containing user questions and expected answers are appended to a local JSONL queue without any user-facing notice or evidence of access controls. In this tax-assistant context, those fields can contain sensitive compliance narratives or financial details, so silent local persistence increases the risk of unintended disclosure to other local users, backup systems, or malware.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.