Back to skill

Security audit

Tax Equity Governance 股权治理财税风险自查与应对指引

Security checks across malware telemetry and agentic risk

Overview

The skill is a tax assistant, but it includes under-disclosed external search, local storage of sensitive tax questions, auto-install guidance, and backend maintenance functions that go beyond ordinary advice.

Review before installing. This skill may be useful for tax research, but avoid entering confidential transaction details, shareholder identities, account data, or privileged legal/tax facts unless you accept that prompts can be sent to remote services or third-party search and stored locally under ~/.workbuddy. Do not use the matrix auto-install feature without separately reviewing each related skill and its permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill is presented as a narrowly scoped equity/governance tax assistant, but the behavior summary indicates much broader capabilities: general tax Q&A, online search, feedback submission, knowledge-base updates, and Git-style local maintenance operations. That scope expansion is dangerous because users may grant trust and local access based on a specialized description, while the skill can perform unrelated networked or filesystem-affecting actions that materially enlarge the attack surface.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The file is a generic tax-policy MCP client with broad capabilities that exceed the skill’s declared equity-governance tax-advisory scope. This scope mismatch matters because it increases the accessible backend surface area and makes it easier for a narrowly-scoped assistant to invoke unrelated operations, violating least privilege and enabling unexpected data flows or administrative actions.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The skill exposes remote Git administration actions such as init, backup, diff, log, and rollback, which are unrelated to end-user equity-tax advice and represent powerful backend maintenance capabilities. If these functions are reachable through the skill, an attacker or prompt-injected workflow could manipulate backend state, inspect repository contents, or roll back data, causing integrity loss and possible disclosure of sensitive materials.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The client can trigger backend knowledge-base updates and batch feedback evaluation, which are operational maintenance actions rather than end-user advisory features. Exposing them through a user-facing skill can let untrusted inputs influence content lifecycle or processing pipelines, creating integrity risks, abuse potential, and opportunities for prompt-driven unauthorized maintenance activity.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The module identifies itself as a general tax-policy knowledge-base client, conflicting with the manifest’s narrower equity-governance identity. This inconsistency is dangerous because it signals repurposed code and hidden capability expansion, which can mislead reviewers and users about what external services, tools, and data-processing behaviors are actually available.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file is presented as an offline fallback utility, but it still performs HTTP health checks and JSON-RPC calls to a local MCP service. In an agent setting, this creates unintended network interaction, weakens offline guarantees, and can leak usage metadata or trigger behavior through any process bound to 127.0.0.1:9097, including a malicious local service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly advertises one-command automatic installation of additional skills into the user's local skill directory, but it does not provide a clear, prominent warning that this will modify local files or potentially expand permissions and code surface. In this context, the danger is amplified because the skill already has network access and filesystem access, so auto-installation can chain into unreviewed code acquisition and persistent local changes under a benign-sounding workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The client logs user questions, scenarios, and error details to local files under the user home directory without any visible consent or minimization. In a tax and equity-governance context, these inputs may contain highly sensitive financial, corporate, or personal data, so persistent local logging increases privacy risk, forensic exposure, and the chance of later unauthorized access by other local processes or users.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Feedback queuing stores full question and expected-answer content locally, which can include confidential tax facts, transaction structures, and personal identifiers. Because this happens automatically and without clear disclosure, the queue file becomes a sensitive data cache that may be read, exfiltrated, or retained longer than users expect.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
In fallback mode, the client automatically sends user queries to external search engines such as Bing and Baidu without an explicit just-in-time warning or consent gate. For a tax-equity governance assistant, user prompts may contain confidential transaction details, ownership structures, or compliance concerns, so silent transmission to third parties creates material privacy and confidentiality risks.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.