Back to skill

Security audit

Tax Education 教育培训行业财税合规风险自查与应对指引

Security checks across malware telemetry and agentic risk

Overview

The skill mostly serves tax-compliance questions, but it also includes under-disclosed remote admin controls and local storage of sensitive tax prompts.

Review before installing. Avoid pasting confidential ledgers, personal identifiers, payroll details, bank data, or full tax records unless you accept that questions may be sent to a cloud service and stored locally under ~/.workbuddy. The publisher should remove or isolate the remote Git/admin functions, disclose all network destinations and stored data, and add explicit confirmation and package details for any related-skill installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a narrowly scoped education-tax compliance assistant, but its documentation indicates much broader capabilities: generic tax guidance, remote service communication, automatic key registration, update triggers, feedback submission, and even Git-style backup/rollback operations. That scope expansion is dangerous because users may grant trust and invoke it under a limited-risk assumption while the skill can exfiltrate data, modify local state, or pull/install additional content beyond the declared domain.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The privacy statement claims no device, host, or personal privacy data is collected, yet the same document describes automatic domain identification and cloud-backed service calls. Even if device fingerprints are not collected, user queries and business context are likely transmitted externally, so the claim is materially misleading and may cause users to share sensitive tax, payroll, or school-operational data under false assumptions.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This client exposes feedback administration, update orchestration, and repository-management capabilities that materially exceed the stated purpose of a tax-education assistant. Scope expansion is dangerous because it increases the attack surface and may let a caller trigger privileged backend actions that are unrelated to answering tax questions, especially if upstream authorization is weak or misconfigured.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The skill exposes Git control endpoints such as init, backup, diff, log, and rollback despite those functions being unrelated to an education tax assistant. If these backend endpoints act on a live knowledge repository or host workspace, an attacker could use the skill to inspect history, revert content, or manipulate operational state, creating a high-risk integrity and availability issue.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The client silently self-registers with a remote service and persists returned credentials locally, a capability not disclosed by the assistant description. While likely intended to simplify setup, undisclosed credential enrollment and storage create privacy and trust risks and can expose tokens to other local processes if filesystem permissions are weak.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Telling users they can invoke the skill 'like chatting' without special commands creates an overly broad activation surface. In a skill that also advertises network access, cloud lookups, and install/recommendation flows, ambiguous triggering increases the chance of unintended data disclosure or accidental execution of higher-risk behaviors from ordinary conversation.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Automatic business-domain recognition and related-skill triggering are described without clear limits, while the skill also promotes one-click installation of an entire skill matrix. In context, this makes the issue more dangerous because tax/compliance users may unknowingly cause broader skill installation or routing to external services from a seemingly simple advisory query.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Feedback handling writes user-supplied questions and expected answers to a local queue file without clear notice or consent. Because tax questions may contain sensitive business, financial, or personal data, local persistence increases the risk of unintended disclosure through other users, malware, backups, or support bundles.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The logging function records raw questions and risk scenarios to local JSONL files without any visible warning. In this skill context, prompts can easily include confidential tax, payroll, school-finance, or investigation details, so routine logging creates a meaningful confidentiality risk even if no exploit sophistication is required.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The client automatically transmits device and user identifiers to a remote registration service without a clear user-facing disclosure. Even though the code avoids stronger fingerprinting, silent identifier transmission still has privacy implications and can enable remote correlation of installations and usage over time.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.