Back to skill

Security audit

Tax Hainan FTP 海南自贸港实质性运营财税合规风险自查与应对指引

Security checks across malware telemetry and agentic risk

Overview

This tax assistant mostly matches its stated purpose, but it exposes under-disclosed installation, logging, feedback, and backend administration capabilities that users should review before installing.

Install only if you are comfortable with a cloud-backed tax assistant that stores local logs/queues under ~/.workbuddy and may send question or feedback text to its service. Avoid entering personal identifiers, bank details, full tax numbers, or confidential business records. Review any prompt to install related skills carefully, because the artifact does not fully specify what will be installed or how permissions and removal are handled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill presents itself as a narrowly scoped Hainan tax-compliance assistant, but the documented behavior indicates much broader capabilities including remote service registration, auto-updates, feedback APIs, Git-style state operations, local persistence, and broader tax-policy querying. That mismatch is dangerous because users may grant trust and permissions based on the stated purpose while the skill performs materially different actions that expand data exposure and supply-chain risk.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation claims minimal data handling and says it does not collect device or host information, yet elsewhere the skill advertises automatic download and installation of other skills into the local skill directory. Even if host data is not collected, this is still a material local-system modification that is not transparently disclosed in the privacy/service statement, which can mislead users about the skill's true operational footprint.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The client implements broad generic tax-policy web search categories and fallback search behavior that significantly exceed the manifest’s narrowly stated Hainan Free Trade Port compliance-assistant scope. This scope expansion increases the chance of unauthorized data access paths, policy misuse, and user over-trust in capabilities that were not disclosed or justified.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file exposes operational endpoints for feedback administration, update logs, update statistics, Git initialization, backup, rollback, and diff retrieval, none of which are reflected in the assistant’s stated end-user advisory purpose. Hidden administrative capabilities create an unnecessary control surface that could be abused to manipulate backend knowledge assets or reveal internal operational state.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
Administrative Git control operations such as init, backup, diff, and especially rollback are highly privileged capabilities that are unrelated to a Hainan tax compliance assistant’s user-facing purpose. If exposed through the skill, they could enable tampering with the knowledge base, recovery of sensitive historical content, or destructive rollback of service state.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Batch feedback evaluation and update-management controls allow the skill to trigger backend operational workflows beyond answering tax questions. In the context of a narrowly scoped advisory assistant, these capabilities increase the blast radius from content assistance to system administration and backend state changes.

Vague Triggers

Medium
Confidence
79% confidence
Finding
Telling users they can invoke the skill 'just like chatting' without clear trigger boundaries makes activation overly broad and can cause the skill to engage on loosely related prompts. In a skill with network access, filesystem access, and auto-install language, ambiguous invocation increases the chance of unintended execution paths or unexpected routing into actions the user did not specifically request.

Vague Triggers

Medium
Confidence
85% confidence
Finding
Automatic business-domain recognition and recommendation of related skills creates ambiguous routing behavior, especially when paired with one-click installation and cross-skill switching. Users may believe they are interacting with a single tax-reference assistant while the system silently expands scope or nudges them into additional skills and permissions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Advertising one-click automatic download and installation of related skills without a prominent warning about local directory modification and network use is a significant security issue. This behavior introduces supply-chain risk, persistence risk, and unexpected privilege expansion, because a content-focused tax assistant can become a software installer that fetches additional components from remote services.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The client logs raw user questions and scenarios to local JSONL files, including potentially sensitive tax, financial, and compliance narratives, without any visible user-facing notice or consent mechanism in this file. This creates a privacy risk because local files may be accessible to other processes, users, backups, or support tooling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Feedback entries are appended locally with full question and expected-answer content, which may contain sensitive tax or personal information, yet the code provides no visible disclosure or minimization. Persistent local queueing broadens exposure through disk persistence and later replay/transmission.

Ssd 3

Medium
Confidence
96% confidence
Finding
The client persistently stores and transmits raw natural-language user inputs, including questions, scenarios, and expected answers, through logs, feedback queues, and remote feedback APIs. Because this assistant operates on tax/compliance matters, those texts can naturally contain confidential business, financial, or personal data, creating a clear data leakage path.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.