Back to skill

Security audit

Tax Incentives 优惠资质财税专题

Security checks across malware telemetry and agentic risk

Overview

This tax-help skill has a coherent core purpose, but it also includes under-disclosed search, bulk skill installation guidance, and remote administrative/Git functions that users should review before installing.

Review this skill before installing. Its main tax-advisory behavior is understandable, but users should be comfortable with cloud processing, a persistent anonymous service identifier, possible public-search fallback, automatic installation of related skills, and packaged administrative/Git functions that are broader than the advertised tax-incentives workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The skill presents itself as a narrow tax-incentives assistant, but the finding indicates materially broader capabilities including search, remote knowledge-base management, feedback/statistics handling, and Git/version-control operations. That mismatch can mislead users into granting trust and triggering actions they would not expect, especially when combined with network access and local filesystem access.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file implements a broad local web-search fallback that queries public search engines and parses arbitrary results, which materially expands the skill’s behavior beyond a bounded tax-policy assistant. This increases data exposure and prompt-scope drift: user tax questions may be sent to third-party search providers, and returned content is less controlled than the declared MCP knowledge service.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The client exposes operational capabilities for feedback administration, update management, and Git control that are not represented in the skill description and are unrelated to ordinary tax-advisory interactions. Hidden or undocumented privileged operations enlarge the attack surface and could let an invoking agent trigger sensitive server-side actions with security consequences the user would not reasonably expect.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Git init, backup, diff, log, and especially rollback are powerful repository-management actions that are context-inappropriate for a tax-incentives advisory skill. If reachable by an agent or user workflow, they can alter or expose backend knowledge assets, create integrity issues, or reveal internal change history unrelated to the assistant’s stated purpose.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file is presented as an offline fallback helper, but it still performs live HTTP requests to a local MCP manager for health checks and tool calls. This mismatch can mislead users and downstream agents into assuming no network interaction occurs, which weakens trust boundaries and may enable unintended service interaction or data exposure when the fallback path is used.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The generic call_tool method can invoke arbitrary MCP tools by name with caller-supplied arguments, which is broader capability than needed for an offline tax guidance helper. Even though the endpoint is localhost, this expands the attack surface and creates a confused-deputy risk if other local services or privileged MCP tools are exposed through the manager.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises automatic installation of additional skills 'download and install to your skill directory' based on simple user phrases, without a prominent warning about network retrieval, code/content changes, or filesystem modification. This creates a supply-chain and consent risk because users may trigger installation of new capabilities without understanding that local state and executable skill surface are being expanded.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
User questions and tax-risk scenarios are transmitted to remote services, but this code provides no explicit user-facing disclosure or consent mechanism at the point of collection. In a tax/compliance context, prompts may contain sensitive financial, operational, or personally identifying information, so silent transmission raises privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The client automatically registers with a remote auth service and sends a persistent device identifier without explicit user warning or consent. Even though the identifier is randomly generated rather than hardware-derived, it still enables durable correlation of activity across sessions and can support tracking tied to sensitive tax queries.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.